Identification and Authentication Failures
What is Identification and Authentication Failures
{% endcomment %}Previously known as Broken Authentication, this category slid down from the second position and now includes
Common Weakness Enumerations (CWEs) related to identification failures. Notable CWEs included are CWE-297: Improper Validation
of Certificate with Host Mismatch, CWE-287: Improper Authentication, and CWE-384: Session Fixation.
Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. There may be authentication weaknesses if the application:
- Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
- Permits brute force or other automated attacks.
- Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin".
- Uses weak or ineffective credential recovery and forgot-password processes, such as "knowledge-based answers," which cannot be made safe.
- Uses plain text, encrypted, or weakly hashed passwords data stores (see A02:2021-Cryptographic Failures).
- Has missing or ineffective multi-factor authentication.
- Exposes session identifier in the URL.
- Reuse session identifier after successful login.
- Does not correctly invalidate Session IDs. User sessions or authentication tokens (mainly single sign-on (SSO) tokens) aren't properly invalidated during logout or a period of inactivity.
The lab consists of a login page, which request users for their username and password.
If you don't know the password ,there is also a feature for login with otp!
When the users clicks the login with otp feature, user is directed to a page, which asks
users email id to send the otp.
When the user provides an email id , you can see that the 3 digit opt is sent back to the page itself.
This is not the general scenario , usually the code is sent to the registered email of the user.
The user on receiving the 3 digit code can now enter the code in the input box that says
Enter your OTP
On entering the valid OTP the user gets a page which says Login Successful as user : email
.
If the Otp is wrong then the user gets a message saying Invalid OTP
The main aim of this lab is to login as admin, for that you are gonna exploit the lack of rate
limiting feature in the otp verification flow.
You can see that the otp is only of 3 digit(for demo purposes) and the application doesnt have any
captcha (To disallow any automated scripts or bots) or any restrictionds on the number of
tries for the otp.
Now to send the otp to the admin's mail you need to figure out the admins mail id.
Luckily the admin has left his email id for the developers in the page source.
Admins email id admin@pygoat.com
After entering this email in the send otp input box and hit send, you can see that the page says that
otp has been sent to the email id of the admin.
In order to exploit the lack of rate limiting , we can try to Brute-force the 3 digit otp.
Steps to Brute force:
- Open Burpsuite and configure your browser to intercept the web trafic, but dont turn intercept on.
- Send the otp to the admins mail id with the help of send otp feature.
- In the enter the otp box enter a random 3 digit number.
- Before your press login , turn intercept on on Burp suite and then press log in
- Now you can see that the traffic is captured in Burpsuite.
- Now use the send to intruder feature and send this request to the intruder.
- Set the position of the payload to the
otp=parameter. - Go to the payloads session and choose the payload type to number list
- Fill the range to 100 to 999 with step 1.
- Now click attack and you can see that the burp suite tries different combinations of otp and collects it response.
- You can figure out if it has guessed the correct opt by seeing the difference in length of the response for each request.
- The correct otp will have a small response length .
Using this otp you will be able to login into admins account.
Here is a admin pannel of the application. After some recon we got the username admin_pygoat@pygoat.com
& password hash $argon2id$v=19$m=65536,t=3,p=4$Ub40KHiEbH9I3Bsd4VHQDA$4zsIHDmAbejFJmaZq8a2yVIJdHvfylDlQ85w3YRLMSQ
Can you access the admin pannel? or you can do something else so that real admin can't access the admin panel
Lets assume a senario, a user 'X' access his account and before leaving he logs out from his account.
You didn't saw the user 'X's password, but can access his account ?
these are the credentals of different users, try to get some unautherize access.
username : User1 | password : Hash1
username : User2 | password : Hash2
username : User3 | password : Hash3
Mitigation
This type of authentication flaw can be mitigated by:
- Where possible, implement multi-factor authentication to prevent automated credential stuffing, brute force, and stolen credential reuse attacks.
- Do not ship or deploy with any default credentials, particularly for admin users.
- Implement weak password checks, such as testing new or changed passwords against the top 10,000 worst passwords list.
- Align password length, complexity, and rotation policies with National Institute of Standards and Technology (NIST) 800-63b's guidelines in section 5.1.1 for Memorized Secrets or other modern, evidence-based password policies.
- Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.
- Limit or increasingly delay failed login attempts, but be careful not to create a denial of service scenario. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.
- Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session identifier should not be in the URL, be securely stored, and invalidated after logout, idle, and absolute timeouts.