KEMBAR78
Web Auth Hacking for IT Pros | PDF | World Wide Web | Internet & Web
Scribd
Upload
22 views28 pages

Web Auth Hacking for IT Pros

Uploaded by

114 thp
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
22 views28 pages

Web Auth Hacking for IT Pros

Uploaded by

114 thp
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

Web Application Hacking

Authentication
Learning Goals

• By the end of this lesson, you will be able to:


– Explain how HTTP Basic Authentication works.
– Explain how HTTP Basic Authentication works.
– Explain how HTML Form Based Authentication works.
What is Authentication?
2.1 Web Authentication

• The process of verifying the identity of someone.


– It determines whether someone really is the same person who claim to be.
What is Web Authentication?
2.1 Web Authentication

• Web Authentication determines whether someone attempting to access a


protected resource with a username really is the same person who created
the account
The first HTTP authentication method
2.1.1 HTTP Basic Authentication
HTTP Basic Authentication Process
2.1.1 HTTP Basic Authentication

1
GET /protected HTTP/1.1

2
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic

3
GET /protected HTTP/1.1
Authorization: Basic base64(username:password)

4
HTTP/1.1 200 OK or 401 Unauthorized
HTTP Basic Authentication is NOT secure
2.1.1 HTTP Basic Authentication

• HTTP Basic Authentication weaknesses


– User credentials are encoded, encoding is reversible
o Base64 username:password
– Same user credentials are sent every time the client makes a request
o Static login credentials
HTTP Digest Authentication Process
2.1.2 HTTP Digest Authentication

1
GET /protected HTTP/1.1

2
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
Nonce: “X95LDujmBAA=9c…5c57d0f90245d0f5”

3
GET /protected HTTP/1.1
Authorization: Digest
Hash nonce+username+password+URL+HTTP Method

4
HTTP/1.1 200 OK or 401 Unauthorized
HTTP Digest Authentication Process
2.1.2 HTTP Digest Authentication
HTTP Digest Authentication is secure
2.1.2 HTTP Digest Authentication

• HTTP Digest Authentication strengths


– User credentials are hashed, Hashes are NOT reversible
o Hash nonce+username+password+URL+HTTP Method
– Hash change with every request
o Nonce gives dynamism to the conversation

• HTTP Digest Authentication weaknesses


– User credentials are sent with every request.
HTML Form Based Authentication
2.1.3 HTML Form Based Authentication

• Redirects the user to a login page


– User must supply username and password via an HTML form.
HTML Form Based Authentication
2.1.3 HTML Form Based Authentication
HTML Form Based Authentication
2.1.3 HTML Form Based Authentication

• HTML Form Based Authentication strengths


– The credentials are not sent again until the cookie expires.
– Full control over the appearance of the Login Form

• HTML Form Based Authentication weaknesses


– Server needs to store client credentials
– Credentials are sent in clear-text (unless using TLS).
Contents

• 2.2 - Attacking Web


Authentication
–2.2.1 Username Enumeration
–2.2.2 Password Brute Force
–2.2.3 Credential harvesting
Learning Goals

• By the end of this lesson, you will be able to:


– Use different techniques to enumerate usernames
in vulnerable Web Applications.
– Brute-force passwords for using BurpSuite.
– Know where and how to harvest web credentials.
Impact of Bypass Authentication
2.2 Attacking Web Authentication

• Once the account is compromised, the attacker have access to all its data
and functionality.
– By compromising a high-privileged account, the attacker can take full control over the
entire application.
– Potentially gain access to internal infrastructure.
What are Login Credentials?
2.2 Attacking Web Authentication

• Enable users to verify their identities to online accounts over the web.
– Username
o Unique ID on the Web Application. They should not be used by themselves as an
authentication method.
– Password
o Secret combination of letters, numbers and special characters that verify users and grant
them access to protected resources.
What is Username Enumeration?
2.2.1 Username Enumeration

• Attacker can observe changes in the website's behavior in order to identify


whether a given username is valid.
– An attacker who harvest the right username, have half of the attack done
Status Codes
2.2.1 Username Enumeration

• Different status codes for valid and invalid usernames

Invalid Username Valid Username


Error Messages
2.2.1 Username Enumeration

• Error messages can reveal valid usernames


– Incorrect password response

Invalid Username Valid Username


Error Messages
2.2.1 Username Enumeration

• Error messages can reveal valid usernames


– Sometimes this can be very subtle

Invalid Username Valid Username


Response Timing
2.2.1 Username Enumeration
• When web servers validate the password only when the username is valid
– Long passwords will delay the response time for valid usernames
– Invalid username’s passwords won’t be validated, the response time will be shorter

Invalid Username Valid Username


Password Lists
2.2.2 Brute Forcing Passwords

• Passwords can be brute-forced, with the difficulty varying based on the


strength of the password.
– Common and simple passwords are easy to brute force
Password Lists
2.2.2 Brute Forcing Passwords

• Many websites adopt some form of password policy, which forces users to
create high-entropy passwords.
– Users often adjust their password to fit into the password policy.
o mypassword becomes Myp4$$w0rd
Where can we find web credentials?
Credential Harvesting

• There are a substantial amount of web credentials out there


– Google
– Dark web
– Hacked websites lists
– Phishing

Source: https://www.qrtd.qa/index.php/darkweb_intelligence/
The Harvester
Credential Harvesting

• CLI tool that acts as a wrapper for a variety of search engines


– Emails
– Employee names
– Others
Learning Goals

• Now you can:


–Use different techniques to enumerate
usernames in vulnerable Web
Applications.
–Brute-force passwords for using
BurpSuite.
–Know where and how to harvest web
credentials.
Thank you

You might also like