Web Application Hacking

Authentication
Learning Goals

• By the end of this lesson, you will be able to:

– Explain how HTTP Basic Authentication works.
– Explain how HTTP Basic Authentication works.
– Explain how HTML Form Based Authentication works.
What is Authentication?
2.1 Web Authentication

• The process of verifying the identity of someone.

– It determines whether someone really is the same person who claim to be.
What is Web Authentication?
2.1 Web Authentication

• Web Authentication determines whether someone attempting to access a

protected resource with a username really is the same person who created
the account
The first HTTP authentication method
2.1.1 HTTP Basic Authentication
HTTP Basic Authentication Process
2.1.1 HTTP Basic Authentication

1
GET /protected HTTP/1.1

2
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic

3
GET /protected HTTP/1.1
Authorization: Basic base64(username:password)

4
HTTP/1.1 200 OK or 401 Unauthorized
HTTP Basic Authentication is NOT secure
2.1.1 HTTP Basic Authentication

• HTTP Basic Authentication weaknesses

– User credentials are encoded, encoding is reversible
o Base64 username:password
– Same user credentials are sent every time the client makes a request
o Static login credentials
HTTP Digest Authentication Process
2.1.2 HTTP Digest Authentication

1
GET /protected HTTP/1.1

2
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
Nonce: “X95LDujmBAA=9c…5c57d0f90245d0f5”

3
GET /protected HTTP/1.1
Authorization: Digest
Hash nonce+username+password+URL+HTTP Method

4
HTTP/1.1 200 OK or 401 Unauthorized
HTTP Digest Authentication Process
2.1.2 HTTP Digest Authentication
HTTP Digest Authentication is secure
2.1.2 HTTP Digest Authentication

• HTTP Digest Authentication strengths

– User credentials are hashed, Hashes are NOT reversible
o Hash nonce+username+password+URL+HTTP Method
– Hash change with every request
o Nonce gives dynamism to the conversation

• HTTP Digest Authentication weaknesses

– User credentials are sent with every request.
HTML Form Based Authentication
2.1.3 HTML Form Based Authentication

• Redirects the user to a login page

– User must supply username and password via an HTML form.
HTML Form Based Authentication
2.1.3 HTML Form Based Authentication
HTML Form Based Authentication
2.1.3 HTML Form Based Authentication

• HTML Form Based Authentication strengths

– The credentials are not sent again until the cookie expires.
– Full control over the appearance of the Login Form

• HTML Form Based Authentication weaknesses

– Server needs to store client credentials
– Credentials are sent in clear-text (unless using TLS).
Contents

• 2.2 - Attacking Web

Authentication
–2.2.1 Username Enumeration
–2.2.2 Password Brute Force
–2.2.3 Credential harvesting
Learning Goals

• By the end of this lesson, you will be able to:

– Use different techniques to enumerate usernames
in vulnerable Web Applications.
– Brute-force passwords for using BurpSuite.
– Know where and how to harvest web credentials.
Impact of Bypass Authentication
2.2 Attacking Web Authentication

• Once the account is compromised, the attacker have access to all its data
and functionality.
– By compromising a high-privileged account, the attacker can take full control over the
entire application.
– Potentially gain access to internal infrastructure.
What are Login Credentials?
2.2 Attacking Web Authentication

• Enable users to verify their identities to online accounts over the web.
– Username
o Unique ID on the Web Application. They should not be used by themselves as an
authentication method.
– Password
o Secret combination of letters, numbers and special characters that verify users and grant
them access to protected resources.
What is Username Enumeration?
2.2.1 Username Enumeration

• Attacker can observe changes in the website's behavior in order to identify

whether a given username is valid.
– An attacker who harvest the right username, have half of the attack done
Status Codes
2.2.1 Username Enumeration

• Different status codes for valid and invalid usernames

Invalid Username Valid Username

Error Messages
2.2.1 Username Enumeration

• Error messages can reveal valid usernames

– Incorrect password response

Invalid Username Valid Username

Error Messages
2.2.1 Username Enumeration

• Error messages can reveal valid usernames

– Sometimes this can be very subtle

Invalid Username Valid Username

Response Timing
2.2.1 Username Enumeration
• When web servers validate the password only when the username is valid
– Long passwords will delay the response time for valid usernames
– Invalid username’s passwords won’t be validated, the response time will be shorter

Invalid Username Valid Username

Password Lists
2.2.2 Brute Forcing Passwords

• Passwords can be brute-forced, with the difficulty varying based on the

strength of the password.
– Common and simple passwords are easy to brute force
Password Lists
2.2.2 Brute Forcing Passwords

• Many websites adopt some form of password policy, which forces users to
create high-entropy passwords.
– Users often adjust their password to fit into the password policy.
o mypassword becomes Myp4$$w0rd
Where can we find web credentials?
Credential Harvesting

• There are a substantial amount of web credentials out there

– Google
– Dark web
– Hacked websites lists
– Phishing

Source: https://www.qrtd.qa/index.php/darkweb_intelligence/
The Harvester
Credential Harvesting

• CLI tool that acts as a wrapper for a variety of search engines

– Emails
– Employee names
– Others
Learning Goals

• Now you can:

–Use different techniques to enumerate
usernames in vulnerable Web
Applications.
–Brute-force passwords for using
BurpSuite.
–Know where and how to harvest web
credentials.
Thank you