Authentication Bypass
Authentication Bypass
Exploitation
Generally, we look out for logic vulnerabilities or developers failing to implement some features safely.
These include:
o For example, a 2FA measure that has a 6 digit PIN but has unlimited tries for it.
• Lack of account lockout after repeated failed attempts (anti-brute forcing mechanisms)
Personally, when I'm testing for authentication vulnerabilities, I would ask myself the following
questions:
o POST parameters
o JSON
• What is being used to authenticate a user and save their login session?
o Can I poison the web cache or smuggle a HTTP request into the backend?
• Is the login sending a request of some form into a backend database? Or is it running purely on
Javascript
• Is there any other information being processed and passed into the web application?
o For example, are any other parameters, like userID being used?
• Is the website running an outdated version of software that has known exploits for it?
• Are there Web Application Firewalls or Intrusion Detection that would trigger upon entering of
special characters into the database?
Example
Suppose that we have a web application that uses a JWT token to authenticate a session.
JWT Tokens are basically base64 encoded strings separated into 3 different portions, and they are
decryptable or spoofable once we have the private key to encode it properly.
This particular application runs on Flask, and Flask JWT Tokens are actually decryptable and we can find
the secret tokens from this.
Then, we can create a new cookie with whatever username we like. In this case, the username blue was
the admin of the page.
With this new cookie, we can simply swop out the value of the Cookie header we found earlier and be
able to login as this new user. This can also be done using Javascript in the browser console with
developer.cookie='cookiehere'.