Bypassing user authentication controls
Bypassing user authentication controls refers to the act of circumventing or evading the security mechanisms that are in place to verify the identity of a user before granting access to a system, application, or resource. It involves finding vulnerabilities or weaknesses in the authentication process to gain unauthorized access. There are various means of bypassing authentication controls:
- Brute-force attacks: Attackers may attempt to guess or crack user credentials by systematically trying various combinations of usernames and passwords
- Credential stuffing: This method involves using stolen credentials from one platform to gain unauthorized access to other systems where users have reused passwords
- Session hijacking: Attackers may exploit vulnerabilities in the session management process to hijack a user’s active session or steal session tokens
- Cross-site scripting (XSS): By injecting malicious scripts into a website or application, attackers can steal user credentials or manipulate the authentication process
- Password reset attacks: Attackers may exploit weak or insecure password reset mechanisms to gain unauthorized access
- Default credentials: Attackers can leverage default credentials of specific technologies to bypass authentication login
On the BreachMe API, we have purposefully made the Admin user credentials very easy to brute force. To do this, we need to proxy the login endpoint through Burp Suite, as seen in Figure 6.7, and send it to the repeater as we want to send continuous requests looking for the admin creds. If you are having issues with proxying the traffic from Postman to Burp, then you may need to change the proxy listener of Burp to 127.0.0.1:8081, as seen in Figure 6.5, and make sure no other service is using this.
Figure 6.5 – Burp Proxy listener settings
Also, on Postman, go to File | Settings | Proxy and replace the port there with 8081.
Figure 6.6 – Postman proxy settings
Now, when you send a request on Postman, you will see it on Burp.
Figure 6.7 – Burp Proxy intercepting
This request will have to be sent to the repeater. You can do this by right-clicking on the intercepted request and choosing the Send to repeater option. On the Repeater tab, we will need to try different names that an administrator could be using.
Figure 6.8 – Testing the username “administrator”
This says that we do not have an account named administrator. When we tried the username admin, we noticed that the response changed to wrong password, so now we know that the admin account username is admin.
Figure 6.9 – Testing the username “admin”
So, we can send that request to the intruder where we will be trying to brute force the password. You can do this by right-clicking in the Request tab and selecting Send to Intruder. On the intruder, under the Positions tab, you can clear all the payload positions and only add the payload to the password parameter.
Figure 6.10 – Configuring the payload position on the intruder
On the Payloads tab in the intruder, choose the Simple list payload option and use the following for the attack.
Figure 6.11 – Configuring the wordlist
After configuring the list, start the attack and wait. The result shows us that we have a 200 response code on admin123. Now we can try to use that to log in to the admin account.
Figure 6.12 – Attack results
We will have to visit the login endpoint again and then use admin as the username and admin123 as the password and see whether it gives us access to the admin account.
Figure 6.13 – Authenticating using the found password
We can see from the image that we got access to the admin account using the credentials we found. By exploiting this vulnerability, an attacker can bypass the authentication controls and gain unauthorized access to the system with administrative privileges
