Bypassing token-based authentication controls
Bypassing token-based authentication controls refers to the act of circumventing or evading the security measures put in place to verify and validate authentication tokens. Token-based authentication involves issuing tokens to users upon successful authentication, which are then used to access protected resources or perform actions within an application or system.
The purpose of token-based authentication is to provide secure and convenient access to authorized users while protecting sensitive information. However, attackers may attempt to exploit vulnerabilities in the authentication process to bypass these controls and gain unauthorized access.
Common methods used to bypass token-based authentication controls include the following:
- Token manipulation: Attackers may attempt to manipulate or tamper with authentication tokens to alter their contents or extend their expiration time, allowing them to maintain access for an extended period.
- Token leakage: Attackers may try to intercept or steal valid tokens through techniques such as session hijacking, man-in-the-middle attacks, or XSS vulnerabilities. Once in possession of a valid token, they can use it to authenticate themselves and gain unauthorized access.
- Token brute-forcing: Attackers may employ brute-force techniques to guess or crack the token’s value or other authentication parameters. This involves systematically attempting different combinations until a valid token is discovered, providing access to the protected resources.
- Token replay attacks: Attackers may capture valid tokens and replay them to gain access without having to go through the authentication process. This is particularly effective if tokens are not properly protected or validated against replay attacks.
- Token substitution: Attackers may try to substitute a valid token with a forged or malicious token to impersonate another user or gain elevated privileges within the system.
In the BreachMe API, we have intentionally added a vulnerability in the update user endpoint. The API is designed to ensure there is a valid authentication token to authorize an update to a user’s data. It, however, does not properly validate the user ID given in the request parameter, which allows an attacker to edit somebody else’s data by potentially swapping tokens..
First, you need to visit the register endpoint and register your account:
Figure 6.14 – Creating an account to get a token
When testing for authentication vulnerabilities, it is recommended that you have two user accounts for testing. This ensures that you test against a user that is yours and prevents accidentally accessing, modifying, or deleting a consumer of the API. Using the register endpoint, create a second user. Ensure that the usernames are distinct to avoid confusion during testing.
Figure 6.15 – Creating the second user
Now we have two users. You can duplicate the collection so you have two different collections for attacker and victim accounts differently. So you don’t need to always log out of one account to log in to another.
After creating both users, we now log in to the attacker account using the login endpoint (see the following figure). We can go on and make http://localhost:8080 a variable for our collection. Our attacker account here will be cybersafe1.
Figure 6.16 – Attacker login
After logging in, we see that the attacker has an ID of 3, so we would assume there would be another user. You can go to the other collection, create the victim account login, and note the victim ID. Here, my victim ID is 4.
Figure 6.17 – Victim account
Now, on the attacker collection, we visit the /updateuser endpoint. This endpoint has the attacker ID 3 listed in the URL. So, we want to put the victim ID there, and then in the body, we will specify that we want to change the email of the victim to something else.
Figure 6.18 – Updating the victim’s profile
Our request is successful. So now, if we try to log in to the victim’s account again, it shows us that the victim’s email has changed.
Figure 6.19 – Victim account info after the attack
An attacker with a valid authentication token can replace the user ID parameter by modifying the request, which would result in unauthorized access and potential data tampering by taking advantage of this vulnerability.
