Authentication (Portswigger Apprentice Manual)
Authentication (Portswigger Apprentice Manual)
Vulnerability Labs(apprentice):
o Enter any invalid username and password and click on log in.
o Go to burp suite and forward all the packets.
o Open your HTTP History and look for a POST method with /login.
o Send that particular packet to intruder by right clicking on it and send to
intruder.
o Send this packet to the repeater to confirm that the username is valid.
o In the burp repeater, change the username to the one that we assume is
valid and send the packet to get the response.
o Analyze the response to see whether you find a text saying “Incorrect
password”. If yes then the username is correct else the username is
different.
o Do the same process to get the password by changing the payload
settings. Enter the obtained username and password to solve the lab.
2. 2FA simple bypass.
This lab's two-factor authentication can be bypassed. You have already
obtained a valid username and password, but do not have access to the user's
2FA verification code. To solve the lab, access Carlos's account page.
Your credentials: wiener: Peter
Victim's credentials Carlos: Montoya
Solution:
o Once you access the lab go to my account and enter your credentials.
o Once you log in, you will have to put your verification code to very your
account. For this click on the email client given above.
o Copy the verification code and paste it in the text field.
o Log out from your account and now log in again using the victim’s
credentials.
o On the page where it is asking for the verification code, open the URL and
replace the end with /my-account.
o Once you click enter, the verification will be skipped and your lab will be
completed.
3. Password reset broken logic.
This lab's password reset functionality is vulnerable. To solve the lab, reset
Carlos's password then log in and access his "My account" page.
Your credentials: wiener:peter
Victim's username: carlos
Solution:
o Access the lab and go to my account tab.
o With Burp running, click the Forgot your password? link and enter your
own username.
o Click the Email client button to view the password reset email that was
sent. Click the link in the email and reset your password to whatever you
want.
o In Burp, go to Proxy > HTTP history and study the requests and responses
for the password reset functionality. Observe that the reset token is
provided as a URL query parameter in the reset email. Notice that when
you submit your new password, the POST /forgot-password?temp-forgot-
password-token request contains the username as hidden input. Send this
request to Burp Repeater.
o In Burp Repeater, observe that the password reset functionality still works
even if you delete the value of the temp-forgot-password-token
parameter in both the URL and request body. This confirms that the token
is not being checked when you submit the new password.
o In the browser, request a new password reset and change your password
again. Send the POST /forgot-password?temp-forgot-password-token
request to Burp Repeater again.
o In Burp Repeater, delete the value of the temp-forgot-password-token
parameter in both the URL and request body. Change the username
parameter to carlos. Set the new password to whatever you want and
send the request.
o In the browser, log in to Carlos's account using the new password you just
set. Click My account to solve the lab.