Authentication vulnerabilities are weaknesses and flaws in the processes and mechanisms used to verify the identity of users or systems. This allows an attacker to access critical data and features.
Lab: Username enumeration via different responses
[Information]
[Problem solving]
1. First, I accessed the lab, and grabbed the proxy using burpsuite. After that I entered any value in the login window.
I checked HTTP communication history to check the caught proxy. There was a record indicating the "/login" path. So I send that to intruder.
2. On the "Intruder" tab I marked $ only in the username part.
I copied the usernames from the username list and pasted them into the payload settings part and started to attack.
In the results, the username named "ak" had a different length of data. It also shows the string "Incorrect password" at the response. This means that this is the correct username, but the password is incorrect.
Conversely, responses from other usernames display the string "Invalid username". This means that the username is wrong.
I modified the username to "ak" and marked $ only in the password part.
After that, I copied the passwords from the password list, pasted it into the payload settings section, and started the attack.
The results show that the state and data length of the password "love" are different from those of other passwords.
If you check the response parts of the other passwords, you will see the sentence "Incorrect password". Therefore, "love" is the correct password.
3. I logged in with "ak" in Username, "love" in Password and it was solved.
Lab: 2FA simple bypass
[Information]
[Problem solving]
1. I accessed the lab, and entered the "My account" page. Then I loged in by Victim's credentials.
There was a "Back to lab home" button, so I clicked it and accessed the homepage.
2. I went back to the "My account" page and the LAB was resolved.
Lab: Password reset broken logic
[Information]
[Problem solving]
1. I accessed to the lab, and went to "My account" page, clicked the "Forgot password" url.
I entered my credentials username in the form, and submitted it.
To verify a reset password link, I clicked the "Email client" button.
And accesed to the follow link.
Finally, I reset my password to "peter".
2. I used a proxy tool by burpsuite to view the logs of all communications. Among the logs, the "/forgot-password" log was found and sent to the repeater.
You can check it in the reapeater tap.
I deleted all the tokens and changed my username wiener to carlos. This means that You can login with "username=carlos, password=peter" without a token. After that, I clicked the send button.
I logged in with the username and password that setup in the previous step.
The lab was solved.
'Wargame & CTF > PortSwigger' 카테고리의 다른 글
| [Client-side topics] Cross-site request forgery (CSRF) (0) | 2024.04.08 |
|---|---|
| [Client-side topics] Cross-site scripting(XSS) (0) | 2024.04.06 |
| [Server-side topics] OS command injection (0) | 2024.03.29 |
| [Server-side topics] Path traversal (0) | 2024.03.25 |
| [Server-side topics] SQL injection (0) | 2024.02.11 |