d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Authentication
  • Authentication factors
  • Difference to authorization
  • Vulnerabilities
  • Password based
  • Multi-factor
  • OAuth
  • Other vulnerabilities
Edit on GitHub
  1. Exploitation
  2. Web

Authentication vulnerabilities

PreviousAccess control vulnerabilitiesNextJWT attacks

Last updated 2 years ago

Authentication

Authentication factors

Authentication mechanism verify one or more of the following factors:

  • Something you know (e.g. password, security question)

  • Something you have (e.g. mobile phone, security token)

  • Something you are (e.g. biometrics, behaviour)

Difference to authorization

  • Authentication: Who you are

  • Authorization: What you are allowed to do

Vulnerabilities

Password based

Username enumeration

Try to spot differences in:

  • Status codes

  • Error messages

  • Response times (use a very long password to increase the difference in response time)

  • If an account is being locked, it probably means, that account exists ;-)

Brute-force protections

Blocking IP address

  • If X-Forwarded-For header is supported, try to change it for each request.

  • Sometimes logging in to a valid account will reset your failed count.

Locking the user account

  • Password spraying: Test a lot of different usernames, with just a few common passwords, to avoid being locked out.

  • Credential stuffing: Use credentials from a breach of another site, as users often reuse their credentials.

Rate limiting

Too many login requests in a short period of time.

Multi-factor

TODO

OAuth

TODO

Other vulnerabilities

Keep users logged in

Often implemented as a "remember me" token and then stored in a cookie.

  • If the token is somehow guessable, it can be brute-forced (e.g. username:password, or username_timestamp, ...).

  • Even if you don't have a valid account for inspecting the cookie, you may be able to steal one from a valid user via XSS.

  • If the password hash is contained in the cookie and not salted, you probably can even brute-force it to gain the plaintext representation.

Reset password

A password reset url should contain a high-entropy, hard-to-guess token, that is tied to that very user account in the back-end, expire after a short period of time and be immediately destroyed after the password has been reset.

  • If just the username is provided here instead, you may just change it to any arbitrary one you like to.

Password reset poisoning

Change password

Password change pages are often affected by the same type of vulnerabilities as login pages.

  • If the username is sent via hidden field, you may be able to change it to any arbitrary username.

PortSwigger - Web Security Academy - Authentication vulnerabilities
PortSwigger - Web Security Academy - Password reset poisoning