Learning Web-Sec - Day 8 - Authentication Intro and Apprentice Labs

A Basic Introduction to Authentication Vulnerabilities

Authentication is the process used to verify if a person is who they’re claiming to be. How is this obtained? It can be an object/passphrase that only you have access to.

There can be many methods to obtain this process :

Password Based AuthenticationOne Time Password (OTP)Security Questions2 Factor Authentication Applications like AuthenticatorsBiometrics or Patterns of behaviorand Many Others

All these types of authentication can be categorized into three factors :

Something You KnowSomething You HaveSomething You Are

Authentication Vs Authorization

Authentication as we discussed, is the process of verifying if the person is who they’re claiming to be. But authorization is used to check whether a person/user is allowed to perform certain actions.

In this blog, we’ll be exploiting these vulnerabilities.

Lab 1 — Username enumeration via different responses

Level: Apprentice

Description of Lab:

This lab is vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password, which can be found in the following wordlists:

Candidate usernames

Candidate passwords

To solve the lab, enumerate a valid username, brute-force this user’s password, then access their account page.

Our aim here is to find out the right username using brute force.

What is Brute Force?

Brute-force means we will try all the different possible usernames from the username list provided to us. Let’s first intercept the request and then we’ll fuzz the usernames. The fuzzing we did in the SQL Injection labs is
a brute-force method. i.e. trying all different possible strings.

Here we have the request and we’ll fuzz all the possible usernames.

Now Here’s a request that stands out from other requests. And that’s what excites us.

And we see that in the request where the username is ‘an’, We can see an “Incorrect password” in the response which means the username is correct. So let’s now fuzz the passwords for logging in as the user.

We got the password for the username ‘an’. Let’s now log into the account.

And the lab is solved. We hacked our first vulnerable login page.

Brute-forcing login pages with username and passwords are not ideal, But if there’s a different response when the username is correct. It might be considered a vulnerability as we can enumerate the login page for usernames.