Showing posts with label owasp. Show all posts
Showing posts with label owasp. Show all posts

Friday, 8 January 2016

OWASP A2 Broken Authentication and Session Management

OWASP A2 Broken Authentication and Session Management

bypass authentication via cookies

Tools: Burp Suite
web app: mutillidae 

To achieve this hack I do the following

  • setup our proxy
  • register 2 brand new usernames HelenC & SamF
  •  login as HelenC then logout
  • login as SamF then logout
  • next  (in burp) under proxy > http history > pick out the 2 requests that authenticated both users (they have a response code of 302 AND the method is POST 
  •  right click on the first post message and select send to comparer (request) 
  • right click on the second post message and select send to comparer (request) 
we want to compare the server responses when logging in as both users to see if there is any pattern we can detect, if there is a well defined pattern in the servers responses we might be able to exploit this to gain unauthenticated access to another users data
  • next click on the comparer tab and select words
as you can see burp automatically compares the 2 server responses and highlights any changes. From this we can clearly see that  server first responded to the user HelenC with (amongst other things) the following header;
Set-Cookie: uid=24
for Sam this value has increment in value by 1, therefore SamF recieved the following header
Set-Cookie: uid=25


This tells me that server (potentially) increments the value of the set-cookie: uid by 1 each time a user registers. Now I will attempt to exploit this behavior by modifying the value of
Set-Cookie: uid=24
to
Set-Cookie: uid=1

lets see what happens




and it worked we have sucessfully logged in as the admin simply by changing the value of 

Set-cookie: uid= 

in the response from the server

for this hack to work you must log in with a known good  username & password (simply register one yourself)

**pls note there are other paramemters that could be tampered with to achieve the same result but this post is simply about tampering with the 

Set-cookie: uid=

Posted by at
Labels: , , , ,

OWASP A1 Injection

sqli extract user info low security

  web app: mutillidae
  browser: iceweasel

In this post we will attempt to extract user data from a database using sql injection


 to test for a sqli vulnerability i simply add a single quote into the Name field
this result in information leakage which aids my attack and also exposes many other vulnerabilities however we are solely concerned with obtaining user info. heres the error message


This tells my the database is MySQL it also crucially tells me the ACTUAL SQL query performed. This alone tells me that the paramemter/field Name is likely vulnerable to sql injection now we simply need to complete the sql statement to give us what we want
so we add some comments to our single quote, we add
OR 1=1
now 1 ALWAYS is equal to 1 therefore we are making the statement true
--
we dont have the password there fore using -- comments out the password request so now our full sqli payload is
' OR 1=1 -- <space after comments>
to achieve this we simply type the sql command in the name field
and as shown in the video all USERNAMES & PASSWORDS have been retrieved




Posted by at
Labels: , , , ,
Subscribe to: Posts (Atom)