Authentication

Account Registration

Using specific mail domain

Creating email with more that 200 character before the @ symbol is then truncated to 255 characters. This identify the vulnerability in the account registration page logic flaw. In the email below the m at the end of @dontwannacry.com is character 255 exactly.

very-long-strings-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-strings@dontwannacry.com.exploit-0a59009f04dfcc6882ee1431018e0043.exploit-server.net

Bypass Brute IP brute force block

1. Click Resource pool to open the Resource pool side panel, then add the attack to a resource pool with Maximum concurrent requests set to 1. By only sending one request at a time, you can ensure that your login attempts are sent to the server in the correct order.

2. Click Payloads to open the Payloads side panel, then select position 1 from the Payload position drop-down list. Add a list of payloads that alternates between your username and carlos. Make sure that your username is first and that carlos is repeated at least 100 times.

3. Edit the list of candidate passwords and add your own password before each one. Make sure that your password is aligned with your username in the other list.

4. Select position 2 from the Payload position drop-down list, then add the password list. Start the attack.

5. When the attack finishes, filter the results to hide responses with a 200 status code. Sort the remaining results by username. There should only be a single 302 response for requests with the username carlos. Make a note of the password from the Payload 2 column.

Password reset

1. in Burp Repeater and add the X-Forwarded-Host header with your exploit server URL:

   X-Forwarded-Host: YOUR-EXPLOIT-SERVER-ID.exploit-server.net

2. Change the username parameter to carlos and send the request.

3. Go to the exploit server and open the access log. You should see a GET /forgot-password request, which contains the victim's token as a query parameter. Make a note of this token.

4. Go to the URL with password change code

Auth Token bypass Macro

If the authentication login is protected against brute force by using random token that is used on every login POST, a Burp Macro can be used to bypass protection.

Create Burp Macro

1. Open Proxy settings and select sessions under Project choices.

2. Scroll down to Macros, and add new macro.

3. Select request from the list to use for the value to be used.

4. click Configure item and add custom parameter location to extract.

5. Click OK to return to Sessions under Project choices.

6. Add a Session handling rule, and the editor dialogue opens.

7. In the dialogue, go to the "Scope" tab.

8. Under scope for the session handling rule editor, check Target, Intruder, and Repeater.

9. Still under "URL Scope", select Include all URLs.

10. Close Settings.

Brute Force

Stay-login cookie brute force

1. Logout as current user.

2. Send the most recent GET /my-account request to Burp Intruder.

3. Select the cookie: stay-logged-in as injection position.

4. Hash: MD5

5. Add prefix: carlos:

6. Encode: Base64-encode

7. Add GREP under settings tab, to check for the string in the response Update email indicating successfully logged in attack.

New password error flow

Notice the behavior when you enter the wrong current password. If the two entries for the new password match, the account is locked. However, if you enter two different new passwords, an error message simply states Current password is incorrect. If you enter a valid current password, but two different new passwords, the message says New passwords do not match

1. Enter your correct current password and two new passwords that do not match. Send this POST /my-account/change-password request to Burp Intruder.

2. In Burp Intruder, change the username parameter to carlos and add a payload position to the current-password parameter. Make sure that the new password parameters are set to two different values. For example:

   username=carlos&current-password=§incorrect-password§&new-password-1=123&new-password-2=abc

3. In the Payloads side panel, enter the list of passwords as the payload set.

Response time enumerate for creds

Intruder with brute force username and very long password, if response is longer than the user is exist.

Than use Inturder again to attack password.

If IP is blocked use second payload with X-Forwarded-For header

X-Forwarded-For: 12.13.14.15

Brute force diffrent response

Identify that the login page & password reset is not protected by brute force attack, and no IP block or time-out enforced for invalid username or password.

Tip for the BSCP Exam, there is sometimes another user with weak password that can be brute forced. Carlos is not always the account to target to give a foothold access in stage 1.

Notice on the Intruder attack column for the GREP value, Invalid username or password. the one response message for a failed username attack do not contain full stop period at the end. Repeat the attack with this identified username, and Sniper attack the password field to identify 302 response for valid login.

Another scenario to identify valid username on the WEB APP is to provide list of usernames on login and one invalid password value. In the Intruder attack results one response will contain message Incorrect password. Intruder attack injection position, username=§invalid-username§&password=SomeStupidLongCrazyWrongSecretPassword123456789.

2FA bypass

1. change verify value to change username we want to get code for

2. intruder change post request for login2 parameter verify

3. brute force 2fa

Password Reset

1. password reset functionality still works even if you delete the value of the temp-forgot-password-token parameter in both the URL and request body

2. if you remove the current-password parameter entirely, you are able to successfully change your password without providing your current one