Those who know me know that I not only practise offensive security techniques from a business perspective, I also play in a CTF team and build PwnDefend CTF challenges. I came up with the idea of doing a red and blue team CTF sometime in 2018 however this isn’t as easy to build and run as you would think. Anyway, I digress… as part of my research and personal development I like to test out other platforms and pwn a few things so I thought I’d do a quick write up of the Pentester Academy Attack Defense labs Web Application Broken Authentication challenge. Spoiler alert.. I spoil this one (but it’s easy so don’t cry too hard!)
We begin this lab by reviewing the overview, I’ve also included the hint that is provided:
|In the exercise below, the attacker is not authenticated to the web application and needs to find a broken authentication attack on it.
A version of Online Airline Booking System is vulnerable to broken authentication attack.
Objective: Your task is to find and exploit this vulnerability.
|You may use the username and password below to explore the application but cannot use it to exploit it.
After spinning up the machine you are provided with a URL:
This site has a clear login area under Admin
Show’s now obvious response in the GUI. Let’s fire up BURP suite!
Looking at the requests and responses we get the following:
A HTTP 302 is returned. Following the redirect, we get the following:
We can send this to intruder to attempt a brute force:
We configure a single position at password
Using top 10 from https://github.com/danielmiessler/SecLists/tree/master/Passwords we configure Payloads:
Now having followed the flow manually we know there is a redirect so we need to configure this in BURP under intruder OPTIONS:
We can see the defaults have Never follow redirects or process cookies. We are going to set these as follows:
(Follow redirect in-scope and process cookies)
I already did this entirely manually, so I know there is a cookie processing that is required. When using a browser with the correct credentials no cookie was processed:
So, knowing this we are going to configure cookie processing
Now we click START attack
Looking at the responses all of these return a 200, however you can see the length of the response changes when a password of ‘password’ is used:
The first response sets a cookie (BURP is set to process this and follow the 302 redirect)
The second request now includes the cookie:
And finally, we have access to the application:
So the real vulnerability here was the fact that a simple cookie string check was used! We can use any username/password we like if we have the right cookie.
(Just for fun I thought I’d check and see if this is vulneable to XSS as well 😉)
So we can see here that the application has broken authentication in that it relies upon a single cookie which has a 1 day expiration that simply sets a paramater of “Cookie: LoggedIn=admin;”
This isn’t very secure, it’s transmitted in plain text, does not have the secure flags configured and fundamentally this method for authetnication and authorisation handling is majorly flawed:
- It’s vulnerable to brute force
- Sensitive data is transmitted in clear text
- Session management is not utilised for authentication
- Authorization headers/tokens are not leveraged
- Untrusted user input is not sanitised (and it’s vulnerable to refelected XSS injection and maybe more)
- The site doesn’t enforce a strong password policy
- There is a lack of MFA
So the list of problems is long! What I like about this is that it’s a simple way of showing a broken authentication. What would be cool is that when you pop the challenge (or along the way) is if it could show you why this is bad provide an example of how to do this where the Authentication process is NOT broken.
I’m continuing to test out the service and I’ll be posting further walk thoughts and reviews (I’m not giving away all the things!). So far I’m having fun, the interface is fairly simple to use. I love the fact you don’t need to SSH into the VMs as well! I’ve got some ideas which might make the platform better as well, but I’ll share those in more detail once I’ve spent more time playing and learning 🙂 Stay safe and hack the planet!