Security Testing 简明教程

Testing Broken Authentication

When authentication functions related to the application are not implemented correctly, it allows hackers to compromise passwords or session ID’s or to exploit other implementation flaws using other users credentials.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

broken mgmt session auth flaws

Example

An e-commerce application supports URL rewriting, putting session IDs in the URL −

http://example.com/sale/saleitems/jsessionid=2P0OC2JSNDLPSKHCJUN2JV/?item=laptop

An authenticated user of the site forwards the URL to their friends to know about the discounted sales. He e-mails the above link without knowing that the user is also giving away the session IDs. When his friends use the link, they use his session and credit card.

Hands ON

Step 1 − 登录到 Webgoat 并导航至“会话管理缺陷”部分。让我们通过伪造 cookie 规避身份验证。以下是该场景的快照。

Step 1 − Login to Webgoat and navigate to 'Session Management Flaws' Section. Let us bypass the authetication by spoofing the cookie. Below is the snapshot of the scenario.

broken mgmt session auth flaws1

Step 2 − 当我们使用 webgoat/webgoat 凭据登录时,我们从 Burp Suite 中发现 JSESSION ID 为 C8F3177CCAFF380441ABF71090748F2E,而 AuthCookie 为 65432ubphcfx,身份验证成功后。

Step 2 − When we login using the credentials webgoat/webgoat, we find from Burp Suite that the JSESSION ID is C8F3177CCAFF380441ABF71090748F2E while the AuthCookie = 65432ubphcfx upon successful authentication.

broken mgmt session auth flaws2
broken mgmt session auth flaws3

Step 3 − 当我们使用 aspect/aspect 凭据登录时,我们从 Burp Suite 中发现 JSESSION ID 为 C8F3177CCAFF380441ABF71090748F2E,而 AuthCookie 为 65432udfqtb,身份验证成功后。

Step 3 − When we login using the credentials aspect/aspect, we find from Burp Suite that the JSESSION ID is C8F3177CCAFF380441ABF71090748F2E while the AuthCookie = 65432udfqtb upon successful authentication.

broken mgmt session auth flaws4

Step 4 − 现在我们需要分析 AuthCookie 模式。对于这两种身份验证,前半部分“65432”都是通用的。因此,我们现在有兴趣分析 authcookie 值的最后部分,例如 webgoat 用户的 ubphcfx 和 aspect 用户的 udfqtb。

Step 4 − Now we need to analyze the AuthCookie Patterns. The first half '65432' is common for both authentications. Hence we are now interested in analyzing the last part of the authcookie values such as - ubphcfx for webgoat user and udfqtb for aspect user respectively.

Step 5 − 如果我们深入查看 AuthCookie 值,则最后一部分与用户名长度相同。因此,很明显用户名与某种加密方法一起使用。在经过反复试验/暴力攻击机制后,我们发现将用户名 webgoat 反转;我们以 taogbew 结束,然后字母之前的字符被用作 AuthCookie。即 ubphcfx.

Step 5 − If we take a deep look at the AuthCookie values, the last part is having the same length as that of user name. Hence it is evident that the username is used with some encryption method. Upon trial and errors/brute force mechanisms, we find that after reversing the user name, webgoat; we end up with taogbew and then the before alphabet character is what being used as AuthCookie. i.e ubphcfx.

Step 6 − 如果我们传递此 cookie 值,我们可以看看会发生什么。在以 webgoat 用户身份验证时,通过执行步骤 4 和步骤 5 来查找同一用户 AuthCookie,将 AuthCookie 值更改为模拟用户 Alice。

Step 6 − If we pass this cookie value and let us see what happens. Upon authenticating as user webgoat, change the AuthCookie value to mock the user Alice by finding the AuthCookie for the same by performing step#4 and step#5.

broken mgmt session auth flaws6
broken mgmt session auth flaws5

Preventing Mechanisms

  1. Develop a strong authentication and session management controls such that it meets all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard.

  2. Developers should ensure that they avoid XSS flaws that can be used to steal session IDs.