Authentication Bypass |
Overview Authentication Bypass is generally custom for each web application which possesses the vulnerability. However, there are some common abuse case patterns. Video Tutorials Discovery Methodology Attempt to discover if SQL injection is present as this vulnerability often allows authentication bypass. If possible aquire a standard user account and an administrator account from the client. Authenticate with both carefully noting any differences in the session tokens, cookies, and/or hidden fields. If the testing is black box, register for multiple user accounts carefully noting differences between the accounts after authentication. Exploitation (SQL Injection) Login Use SQL Injection to bypass authentication on the login page. See the SQL Injection hints or the SQL injection tutorial for help on SQL injection. This can be done using the name field to authenticate as the first user found in the user table.
Username: ' or 'a' = 'a' --
Password: whatever
To target a particular user, identify the user. (Note: This site is vulnerable to username disclosure.) Complete the "username" portion of the query with the target username then bypass the password portion of the query by creating a tautalogy or simply commenting out the password portion. Bypass password with a tautalogy
Username: jeremy
Password: ' or ('a' = 'a' and username='jeremy') or '
Comment out the password portion of the query
Username: jeremy' --
Password: whatever
Exploitation (Authentication Token Manipulation) Alter the values of any authentication and/or authorization tokens found such as those in cookies. This will work on any page post-authentication. Register for an account to explore how the site uses cookies. Gaining Access: Using insecure client-side authentication tokens Page: Any page Tool: Cookies Manager+ version 1.5.1 (verified with Firefox 4.0.1) Note what cookies the site has by default Create a test account Login using test account Check what cookies the site has after authentication Differential Analysis: Change the value of the original auth cookie Work backwards until admin account is found Exploitation (CBC bit flipping attack) Try bit flipping, oracle padding, and cbc bit flipping attacks on authentication and/or authorization tokens. View User Privileges Exploitation (Authentication Token Hijack) Use a cross site script attack to trick a lab partner into visiting the data capture page while authenticated. Use Cookie Manager Plus to create or edit cookies in order to become that user. Data Capture View Captured Data Exploitation (Browser Fingerprint Spoofing) On captive portal systems, spoofing an unsupported browser may bypass some controls User-Agent Impersonation Videos How to Create Wordlists from Web Sites using CEWL Brute Force Authentication using Burp-Intruder SQL Injection Explained - Part 8: Authentication Bypass Bypass Authentication via Authentication Token Manipulation Using Hydra to Brute Force Web Forms Based Authentication Analyze Session Token Randomness using Burp-Suite Sequencer Using Ettercap and SSLstrip to Capture Credentials Introduction to Password Cracking with John the Ripper |