CYBER SECURITY

LAB 04: Authentication Vulnerabilities

& Broken Access Control
Agenda
Authentication Vulnerabilities
Impact of Authentication Vulnerabilities

Preventing Authentication Vulnerabilities

Live Lab: Broken Auth. - Password Attacks

Hands-On 1

Broken Access Control

Impact of Broken Access Control

Preventing Access Control Vulnerabilities

Live Lab: User Role can be modified in User Profile

Hands-On 2
Authentica
tion
Vulnerabili
ties
What is Authentication?
● Authentication identifies the user and confirms that they say who
they say they are.
● There are three main types of authentication:
o Something you know, such as a password or the answer to a security
question. (HTML form-based authentication)
o Something you have, This is a physical object such as a mobile phone or
security token. (Multi-factor mechanisms)
o Something you are or do. For example, your biometrics or patterns of
behavior.
(Fingerprint or Iris Scanner)
Authentication Vulnerabilities
● Authentication Vulnerabilities arise from insecure implementation of
the authentication mechanisms in an application.
o Weak Password Requirements.
o Improper Restriction of Authentication Attempts.
o Verbose Error Message.
o Vulnerable Transmission of Credentials.
o Insecure Forgot Password Functionality.
o Defects in Multistage Login Mechanism.
o Insecure Storage of Credentials
Authentication Vulnerabilities
● Weak Password Requirements: Having no or minimal controls
over the quality of users’ passwords.
o Very short or blank
o Common dictionary words or names
o Password is the same as the username
o Use of default password
o Missing or ineffective MFA
Authentication Vulnerabilities
● Improper Restriction of Authentication Attempts: Application
permits brute force or other automated attacks.
o Login page
o OTP / MFA page
o Change password page
Authentication Vulnerabilities
● Verbose Error Message: The application outputs a verbose error
message that allows for username enumeration.
Authentication Vulnerabilities
● Vulnerable Transmission of Credentials: The application uses an
unencrypted HTTP connection to transmit login credentials.
Authentication Vulnerabilities
● Insecure Forgot Password Functionality: Design weaknesses in
the forgotten password functionality usually make the weakest link
that can be used to attack the application’s overall authentication
logic.
o Finite number od solutions
o Find answer online on social media
Authentication Vulnerabilities
● Defects in Multistage Login Mechanism: Insecure
implementation of the MFA function.
● How can this be exploited?
o Change the “account” cookie to the victim’s username and
compromise the victim’s account.
Authentication Vulnerabilities
● Insecure Storage of Credentials: Uses plain text, encrypted, or
weekly hashed password data stores.
Impact of Authentication
Vulnerabilities
● Unauthorized access to the application.
o Confidentiality – Access to view other users’ data.
o Integrity – Access to update other users’ data
o Availability – Access to delete users and their data.
● Can sometimes be chained with other vulnerabilities to gain remote
code execution on the host operating system.
Preventing Authentication
Vulnerabilities
● Wherever possible, implement multi-factor authentication.
● Change all default credentials.
● Always use an encrypted channel / connection (HTTPS) when sending
user credentials.
● Only POST requests should be used to transmit credentials to the
server.
● Stored credentials should be hashed and salted using
cryptographically secure algorithms.
● Use identical, generic error messages on the login form when the user
enters incorrect credentials.
● Implement an effective password policy (Use a simple password
checker to provide real time feedback).
● Implement robust brute force protection on all authentication pages.
● Audit any verification or validation logic thoroughly to eliminate flaws.
bWAPP
● bWAPP, or a buggy Web APPlication.
● Deliberately insecure web application, includes all major known web
vulnerabilities.
● Helps security enthusiasts, developers and students to discover and
to prevent issues
● How to install: https://youtu.be/MPuF9baflSk
Broken Auth. - Password Attacks
● Step 1: Open localhost/bWAPP/ then enter the login name bee and give incorrect password
and click on Login.
● Step 2: Go to BurpSuite and right click on the mouse send the request to intruder page.
● Step 3: Click on Positions and then click on clear button and change the attack type to sniper.
● Step 4: In Position tab select wrongpassword and click on add
● Step 5: Click on Payloads - Payloads set 1, Payload type - Brute forcer (To save time we are
limiting the field search to 3 alphabets only)
● Step 6: Click on options Go to Grep Match Click on the check box
Flag result items with responses matching these expressions.
Click on clear and yes and add your comment here.
Invalid credentials! Did you forgot your password?
Match type - Simple String
Click on Exclude HTTP Headers
● Step 7: Start the attack. If a pop up comes click ok.
● Step 8: Click on length and check the results.
Click on Response and search for word successful login
Click on Render and see the successful login page
Hands-On 1: Username Enumeration
via Different Responses
(is.gd/lab4a)
Hands-On 1: Username Enumeration
via Different Responses
1. With Burp running, investigate the login page and submit an invalid username and password.
(is.gd/lab4a)
2. In Burp, go to Proxy > HTTP history and find the POST /login request. Send this to Burp Intruder.
3. In Burp Intruder, go to the Positions tab. Make sure that the Sniper attack type is selected.
4. Click Clear § to remove any automatically assigned payload positions. Highlight the value of the username parameter and click
Add § to set it as a payload position. This position will be indicated by two § symbols, for example: username=§invalid-username§.
Leave the password as any static value for now.
5. On the Payloads tab, make sure that the Simple list payload type is selected.
6. Under Payload options, paste the list of candidate usernames. Finally, click Start attack. The attack will start in a new window.
7. When the attack is finished, on the Results tab, examine the Length column. You can click on the column header to sort the results.
Notice that one of the entries is longer than the others. Compare the response to this payload with the other responses. Notice
that other responses contain the message Invalid username, but this response says Incorrect password. Make a note of the
username in the Payload column.
8. Close the attack and go back to the Positions tab. Click Clear, then change the username parameter to the username you just
identified. Add a payload position to the password parameter. The result should look something like this:
username=identified-user&password=§invalid-password§
9. On the Payloads tab, clear the list of usernames and replace it with the list of candidate passwords. Click Start attack.
10. When the attack is finished, look at the Status column. Notice that each request received a response with a 200 status code
except for one, which got a 302 response. This suggests that the login attempt was successful - make a note of the password in
the Payload column.
11. Log in using the username and password that you identified and access the user account page to solve the lab.
Hands-On 1: 2FA simple bypass
(Extra)
(is.gd/lab4aa)
Hands-On 1: 2FA simple bypass
(Extra)
(is.gd/lab4aa)
1. Log in to your own account. Your 2FA verification code will be sent to
you by email. Click the Email client button to access your emails.
2. Go to your account page and make a note of the URL.
3. Log out of your account.
4. Log in using the victim's credentials.
5. When prompted for the verification code, manually change the URL to
navigate to /my-account. The lab is solved when the page loads.
Broken
Access
Control
Important Terminology
● Authentication: identifies the user and confirms that they say who
they say they are.
● Session Management: identifies which subsequent HTTP requests
are being made by each user.
Important Terminology
● Access Control: determines whether the user is allowed to carry out
the action that they are attempting to perform.
Session IDs & Cookies
● Session IDs:
o Session IDs (Session Identifiers) are unique tokens or strings generated by web applications
to identify and track user sessions. They are essential for maintaining stateful communication
between the client (user's browser) and the server.
o Session IDs are typically used to associate requests from a user with their session data stored
on the server.
● Cookies:
o Cookies are small pieces of data (usually text) that a web server sends to the user's browser,
which stores them locally.
o Cookies serve various purposes, such as session management, user tracking, and
personalization. In the context of session management, session cookies are commonly used
to store the session ID, allowing the server to recognize and maintain the user's session.
Access Control Types
● Vertical Access Control: is used to restrict access to
functions not available for other users (privileges) in the
organization.
Access Control Types
● Horizontal Access Control: restricts different users of the
same privilege from accessing each other's resources.
Access Control Types
● Context-Dependent Access Control: restricts access to
functionality and resources based on the state of the
application or the user’s interaction with it.
Broken Access Control
● Broken Access Control vulnerabilities arise when users can act outside of their
intended permissions. This typically leads to sensitive information disclosure,
unauthorized access and modification or destruction of data.
Broken Access Control
● Horizontal Privilege Escalation: occurs when an attacker gains access to
resources belonging to another user of the same privilege level.
Broken Access Control
● Vertical Privilege Escalation: occurs when an attacker gains access to privileged
functionality that they are not permitted to access.
Broken Access Control
● Multi-Step Processes: occur when access control rules are implemented on some
of the steps, but ignored on others.
Spot the Vulnerability?

o Answer: No verification is performed on line 8 to see if the order has been made by
the currently logged-in user.
● How do you fix this code?
o Answer: Ensure the object id of the order belongs to the user making the request.
Impact of Broken Access Control
● Unauthorized access to the application.
o Confidentiality – Access to view other users’ data.
o Integrity – Access to update other users’ data
o Availability – Access to delete users and their data.
● Can sometimes be chained with other vulnerabilities to gain remote
code execution on the host operating system.
Preventing Access Control
Vulnerabilities
● Use a security-centric design where access is verified first and
ensure all requests go through an access control check.
● Except for public resources, deny access by default.
● Apply the principal of least privilege throughout the entire
application.
● Consider using attribute or feature-based access control checks
instead of role-based access control.
● Access control checks should always be performed on the server
side.
● Anything coming from client-side should be considered dangerous and
completely untrusted.
Live Lab: User role controlled
by Request Parameter
(is.gd/lab4ta)
Live Lab: User role controlled
by Request Parameter
(is.gd/lab4ta)
1. Browse to /admin and observe that you can't access the admin panel.
2. Browse to the login page.
3. In Burp Proxy, turn interception on and enable response interception.
4. Complete and submit the login page, and forward the resulting request in Burp.
5. Observe that the response sets the cookie Admin=false. Change it to Admin=true.
6. Load the admin panel and delete carlos.
Hands-On 2: User Role can be
Modified in User Profile
(is.gd/lab4b)
Hands-On 2: User Role can be
Modified in User Profile
(is.gd/lab4b)
1. Log in using the supplied credentials and access your account page.
2. Use the provided feature to update the email address associated with your account.
3. Observe that the response contains your role ID.
4. Send the email submission request to Burp Repeater, add "roleid":2 into the JSON in the
request body, and resend it.
5. Observe that the response shows your roleid has changed to 2.
6. Browse to /admin and delete carlos.
Hands-On 2: User ID controlled by
(Extra) Request Parameter
(is.gd/lab4bb)
Hands-On 2: User ID controlled by
(Extra) Request Parameter
(is.gd/lab4bb)
1. Find a blog post by carlos.
2. Click on carlos and observe that the URL contains his user ID. Make a
note of this ID.
3. Log in using the supplied credentials and access your account page.
4. Change the "id" parameter to the saved user ID.
5. Retrieve and submit the API key.
QUESTIONS?
THANK YOU