Broken Authentication
According to the OWASP Top 10 2021 list, broken authentication slid from the number 2 spot to the number 7 spot. OWASP gives a great breakdown of what broken authentication is and how to mitigate it here: https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
When I think of broken authentication I like to think of brute forcing, easy passwords, subtle errors that give information when a bad username is given, or even weak or no MFA. Portswigger Web Academy is a great resource to learn to exploit and mitigate the different web vulnerabilities that a pentester might face. The Web Academy focus heavily on using Burp Suite, the most widely known used web app testing tool, which Portswigger created.” The Web Academy is also a fantastic way to practice using Burp Suite so you can put this amazing tool on your resume or CV.
Portswigger Web Academy is a free learning platform. So once you have signed up you can walk through varying degrees of apprenticeship, practitioner, and even expert levels of misconfigurations. I will be showing a walkthrough of “Username Enumeration via Different Responses” from the Broken Authentication learning path. So as Ippsec would say, “Let’s get into it.”
To get started I load up Burp Suite, turn off the intercept (for now), start my foxyproxy on port 8080 (if you need help with setting up foxyproxy to your Burp Suite you can learn how here https://medium.com/@toshvelaga/setting-up-foxyproxy-with-burp-suite-for-chrome-28470fd86084). The reason for doing this is that my proxy will send all the information I click or submit to Burp without the redirects of intercept stopping the connection.
The lab information is as follows: “This lab is vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password”. This lab gives a custom username and password list to download from to help with the brute forcing — which is especially nice because I do not have the Professional version of Burp so my Intruder (we will get to that) is throttled.
With my proxy on I try the generic admin:admin username and password combo but no joy.
We can see here that Burp caught my request. Let’s go ahead and send this to Repeater and Intruder. Repeater will allow me to modify the request and look at the responses where Intruder will allow me to brute force username and password combos.
Once sent to Intruder we hit clear on the right hand side, and then highlight just the username and then click add. By doing this it will tell Intruder to specifically brute force only the username.
To set up our brute force we need to determine the attack type. Burp Intruder has 4 attack types: Sniper, Battering Ram, Pitchfork, and Clusterbomb. TryHackMe has a great room about the different types of Burp attacks and how to incorporate them. For our purposes since we are only attacking 1 parameter, the username, we will go with sniper. With the attack type set we move to the payload and load in our username list that was provided in the lab. *It should be noted that in a real environment the username list will be found via OSINT or passive reconnaissance.
Now all that is left to do is hit the “Start Attack” button. Now we wait. There are 101 names in the list, but this can take about 1–2 mins due to the free community edition of Burp being throttled when using Intruder. As NetworkChuck would say, “Now its time for a coffee break!”
What we are looking for here is a difference in response lengths. Other times it could be difference in response times. But in our case we can inspect the response length. Now this will be a subtle difference.
Boom! we have a potential username. So now we go back to our Intruder set up and clear the parameters. We will put the username as adserver, and then highlight the password parameter and click add. We will again use the sniper attack. Our payload will now be the password list provided (might have to clear out the username list). Then we can start the attack!
What we will be looking for is not the response length but rather the HTTP status change. This is where understanding your HTTP status codes comes into play. The majority of them will be 200 which is the universal ‘OK’. But that can just mean that the webpage is good, does not mean the credentials are valid. For this we want to look for a 302 which is the universal ‘Redirect’. This usually means that the credentials were valid and we were redirected to another page.
Well now it looks like adserver:159753 could be our username and password combo. Let’s try.
This was obviously an easy example of brute forcing a web app login page. However, the concepts are crucial to understand, and learning Burp Suite is essential for an aspiring pentester or web app pentester.
Another way to solve this lab would be to catch the response in Burp and copy it as a txt file onto your machine and then use ffuf in the clusterbomb mode (clusterbomb is one of the Burp attack types mentioned earlier). Clusterbomb attack just means that it tests the username and the password simultanesouly with all possibly combos. There were 101 username and 100 password so 101 * 100 = 10,100 possible combinations it runs through.
I will be going through various parts of the Web Academy from Portswigger to better my knowledge of testing web apps and learning how to secure them using Burp and whatever other methods or tools I can come across.