Web for pentesters 2-Authentication

Today I’ll be going through the authentication exercise from web for pentesters 2. This exercise wasn’t to difficult, the hard part was example 2, which I’ll get into later on, but otherwise it’s pretty straight forward. So lets get into it.

Example 1:

For the first example the username is given to you, admin, however the password you have to guess. You could run a password cracker and get it or as it’s a weak password you could easily guess it. The password is admin.

Example 2:

This example was a pain to do and I still haven’t cracked it yet with the script(which is available on my bitbucket account here). However the username and password are in the ruby file for this example, username:hacker password:p4ssw0rd (zero not o).

Example 3:

In the third example you are going to need to use a proxy like burpsuite and owasp ZAP. Once you have that installed and set up, follow the steps below to cracked the exercise.

  1. Load the page. (Make sure that no parameters are in the url as this screws with the process)
  2. Load up the proxy.
  3. Find the user variable in the cookie.
  4. Make the user variable equal admin
  5. Submit the request

Boom! you are now admin.

Example 4:

Here you have to run a password cracker. Any online cracker should work, yet to run on this exercise, will update this post once I do.

Example 5:

In this example there is a flaw in the registration process. Here we can create a user with admin privileges with the following  steps:

  1. Click on the register link.
  2.  Create a user with username Admin and any password you want.

This will get you admin rights, the problem lies in the mysql database username comparison.

Example 6:

In the last example we are again exploiting the logic in the register page to get admin privileges.

  1. Go to the register page.
  2. Create a user with the username admin with a space after the username and any password.

Boom! you are now an admin XD. The problem lies again in the comparison of the new username and usernames on the database as admin and admin (with a space) are two different users on the system.

Thanks for reading, if you have any questions, comments please leave them below.

Web for pentesters 2 Authorisation

This week I’ll go over the authorisation bypass examples for web for pentesters 2. I know last week I said I would go through the authentication examples, but I wasn’t able to finish it in time ( example 2 is a pain). Without much further to do lets go through the exercise.

Example 1:

In this example, we try to bypass any authorisation by just altering the number at the end, like so:

authorization/example1/infos/1
and
authorization/example1/infos/2

This will give you direct access to the resources, even when you aren’t logged in.

Example 2:

In this example, you can access other users files by just simply incrementing through the number at the end of the url.

authorization/example2/infos/3
and
authorization/example2/infos/4
These will work, but nothing after that, you’ll get an internal server error.

Example 3:

This example is similar to the attack above, however we need to exploit it through the edit page.

First you’ll need to log in and click on any of the posts.Then change the number at the end of the url to 3. You now have access to the information from user2.

That will do it for now, in the next post I’ll hopefully have mass assignment done. Until then keep on hacking.