Authentication vulnerabilities

Unencrypted (http) Authentication

Check if registration, login or password recovery is possible with http.

Username enumeration

Check predictable, valid/invalid user responses.

For example, try to create an account and if the username is already taken it will be notified: *The name admin is already taken*

Check differences in responses when using valid and non-valid usernames in login, register and password reset forms.

For example, to perform a brute-fore username enumeration, use intruder in burp, select Sniper > Payloads > Simple lsit, then use a list of candidate usernames. After executing the attack observe the length of responses, if we obtain Incorrect password instead of Invalid username, then we have located a valid username.

Then, we could try brute-forcing the password for that username.

Simple credentials

Check default, trivial, or low quality passwords (<8 characters, numbers only, etc...)

Concurrent logins

Log into the same account from different browsers and Ips and check if the server allow multiple logins at the same time.

Password entry with autocomplete enabled

View source code of the login page where the login is done.

Look for the autocomplete attribute in the password input field. If the attribute is set to autocomplete="on" or if the attribute is missing (since the default behavior can be to allow autocompletion), then the password entry is vulnerable as it allows browsers to store and auto-fill the password.

Password Policy

Check if the site is using a low password policy when registering.

Password reset

Check if the application allows the change of passwords.

Check if the old password is requested before you can set a new one.

Check if the token is being checked (i.e. delete it in the request and check if the password is being changed)

hydra -l Elliot -P fsocity.dic 10.10.232.104 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:The password you entered for the username" -t 30

hydra -l mike -P /usr/share/wordlists/rockyou.txt 10.10.83.195 http-post-form "/simple/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:User name or password incorrect" -t 30

*if you find diiferent error messages for failed login or password; this is a reportable pentesting find. Seeing this means we can test for usernames and passwords

*hash-identifier

We could also use the Burp Intruder.

Check for comments inside the page (scroll down and to the right?)
Check if you can directly access the restricted pages
Check to not send the parameters (do not send any or only 1)
Check the PHP comparisons error: user[]=a&pwd=b , user=a&pwd[]=b , user[]=a&pwd[]=b
Default credentials: https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force#default-credentials
SQL Injection authentication bypass
NoSQL Injection authentication bypass
LDAP Injection authentication bypass
XPATH Injection authentication bypass

2FA bypasses

- Simple bypass

Log in to your own account, make note of the URL in the account page, then, log in using the victim's credentials and manually change the URL to navigate to the previouslly noted account URL.

- Brute-force bypass

Use Intruder > Payloads > Numbers and range 0 - 9999

PreviousAuthentication NextOAuth 2.0 Authentication Vulnerabilities

Last updated 10 months ago