https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=AlombardiniOWASP - User contributions [en]2026-05-16T09:13:34ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Testing_for_Brute_Force_(OWASP-AT-004)&diff=12351Testing for Brute Force (OWASP-AT-004)2006-11-11T16:44:14Z<p>Alombardini: /* References */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
Brute-forcing consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem's statement. In web application testing, the problem we are going to face with the most is very often connected with the need of having a valid user account to access the inner part of the application.<br />
Therefore we are going to check different types of authentication schema and the effectiveness of different brute-force attacks.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
A great majority of web applications provide a way for users to authenticate themselves. By having knowledge of user's identity it's possible to create protected areas or more generally, to have the application behave differently upon the logon of different users.<br />
Actually there are several methods for a user to authenticate to a system like certificates, biometric devices, OTP (One Time Password) tokens, but in web application we usually find a combination of user ID and password. Therefore it's possible to carry out an attack to retrieve a valid user account and password, by trying to enumerate many (ex. dictionary attack) or the whole space of possible candidates.<br />
<br />
After a successful bruteforce attack, a malicious user could have access to:<br />
<br />
* Confidential information / data;<br />
** Private sections of a web application, could disclose confidential documents, user's profile data, financial status, bank details, user's relationships, etc..<br />
<br />
* Administration panels;<br />
** These sections are used by webmasters to manage (modify, delete, add) web application content, manage user provisioning, assign different privileges to the users, etc..<br />
<br />
* Availability of further attack vectors;<br />
** Private sections of a web application could hide dangerous vulnerabilities and contain advanced functionalities not available to public users.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
To leverage different bruteforcing attacks it's important to discover the type of authentication method used by the application, because the techniques and the tools to be used may change.<br />
<br />
=== Discovery Authentication Methods ===<br />
<br />
Unless an entity decides to apply a sophisticated web authentication, the two most commonly see methods are as follows:<br />
<br />
* HTTP Authentication;<br />
** Basic Access Authentication<br />
** Digest Access Authentication<br />
* HTML Form-based Authentication;<br />
<br />
The following sections provide some good information on identifying the authentication mechanism employed during a blackbox test.<br />
<br />
<br />
'''HTTP authentication'''<br />
<br />
There are two native HTTP access authentication schemes available to an organisation – Basic and Digest. <br />
<br />
* Basic Access Authentication<br />
<br />
Basic Access Authentication assumes the client will identify themselves with a login name ("owasp") and password ("password"). When the client browser initially accesses a site using this scheme, the web server will reply with a 401 response containing a “WWW-Authenticate” tag containing a value of “Basic” and the name of the protected realm (e.g. WWW-Authenticate: Basic realm="wwwProtectedSite”). The client browser will then prompt the user for their login name and password for that realm. The client browser then responds to the web server with an “Authorization” tag, containing the value “Basic” and the base64-encoded concatenation of the login name, a colon, and the password (e.g. Authorization: Basic b3dhc3A6cGFzc3dvcmQ=). Unfortunately, the authentication reply can be easily decrypted should an attacker sniff the transmission.<br />
<br />
Request and Response Test:<br />
<br />
1. Client sends standard HTTP request for resource:<br />
<pre><br />
GET /members/docs/file.pdf HTTP/1.1<br />
Host: target<br />
</pre><br />
<br />
2. The web server states that the requested resource is located in a protected directory.<br />
<br />
3. Server Sends Response with HTTP 401 Authorization Required:<br />
<br />
<pre><br />
HTTP/1.1 401 Authorization Required<br />
Date: Sat, 04 Nov 2006 12:52:40 GMT<br />
WWW-Authenticate: Basic realm="User Realm"<br />
Content-Length: 401<br />
Keep-Alive: timeout=15, max=100<br />
Connection: Keep-Alive<br />
Content-Type: text/html; charset=iso-8859-1<br />
</pre><br />
<br />
4. Browser displays challenge pop-up for username and password data entry.<br />
<br />
5. Client Resubmits HTTP Request with credentials included:<br />
<br />
<pre><br />
GET /members/docs/file.pdf HTTP/1.1<br />
Host: target<br />
Authorization: Basic b3dhc3A6cGFzc3dvcmQ=<br />
</pre><br />
<br />
6. Server compares client information to its credentials list.<br />
<br />
7. If the credentials are valid the server sends the requested content. If authorization fails the server resends HTTP status code 401 in the response header. If the user clicks Cancel the browser will likely display an error message.<br />
<br />
<pre><br />
The string QWRtaW46Zm9vYmFy== symply base64 decodes as follows:<br />
Base64 Decoded : owasp:password<br />
</pre><br />
<br />
* Digest Access Authentication<br />
<br />
Digest Access Authentication expands upon the security of Basic Access Authentication by using a one-way cryptographic hashing algorithm (MD5) to encrypt authentication data and, secondly, adding a single use (connection unique) “nonce” value set by the web server. This value is used by the client browser in the calculation of a hashed password response. While the password is obscured by the use of the cryptographic hashing and the use of the nonce value precludes the threat of a replay attack, the login name is submitted in clear text.<br />
<br />
Request and Response Test:<br />
<br />
1. Here is an example of the initial Response header when handling an HTTP Digest target:<br />
<br />
<pre><br />
HTTP/1.1 401 Unauthorized<br />
WWW-Authenticate: Digest realm="OwaspSample", <br />
nonce="Ny8yLzIwMDIgMzoyNjoyNCBQTQ", <br />
opaque="0000000000000000", \<br />
stale=false, <br />
algorithm=MD5, <br />
qop="auth"<br />
</pre><br />
<br />
2. The Subsequent response headers with valid credentials would look like this:<br />
<br />
<pre><br />
GET /example/owasp/test.asmx HTTP/1.1<br />
Accept: */*<br />
Authorization: Digest username="owasp", <br />
realm="OwaspSample", <br />
qop="auth", <br />
algorithm="MD5", <br />
uri="/example/owasp/test.asmx", <br />
nonce="Ny8yLzIwMDIgMzoyNjoyNCBQTQ", <br />
nc=00000001, <br />
cnonce="c51b5139556f939768f770dab8e5277a", <br />
opaque="0000000000000000", <br />
response="2275a9ca7b2dadf252afc79923cd3823" <br />
</pre><br />
<br />
<br />
'''HTML Form-based Authentication'''<br />
<br />
However, while both HTTP access authentication schemes may appear suitable for commercial use over the Internet, particularly when used over an SSL encrypted session, many organisations have chosen to utilise custom HTML and application level authentication procedures in order to provide a more sophisticated authentication procedure.<br />
<br />
Source code taken from a HTML form:<br />
<br />
<pre><br />
<form method="POST" action="login"><br />
<input type="text" name"username"><br />
<input type="password" name="password"><br />
</form><br />
</pre><br />
<br />
=== Bruteforce Attacks ===<br />
<br />
After having listed the different types of authentication methods in web application, we will explain several bruteforce attacks which can be carried out.<br />
<br />
* Dictionary Attack<br />
Dictionary-based attacks consist of automated scripts and tools that will try to guess username and passwords from a dictionary file. Dictionary file can be tuned and compiled to cover words probably used by the owner of the account a malicious user is going to attack. <br />
The attacker can previously perform some investigations to understand user's interests, or build a list of all unique words available on the website.<br />
<br />
* Search Attacks<br />
Search attacks will try to cover all possible combination of a given character set and a given password lenght range. This kind of attack is very slow because the space of possible candidates is quite big. For example given a known user id, the total number of passwords to try up to 8 characters in lenght is equal to 26^(8!) in a lower alpha charset (more than 200 billions of different passwords!). <br />
<br />
* Rule-based search attacks<br />
To increase combination space coverage without slowing too much the process it's suggested to create good rules to generate candidates. <br />
For example "John the Ripper" can generate password variations from part of the username or modify through a preconfigured mask words in input (e.g. 1st round "pen" --> 2nd round "p3n" --> 3rd round "p3np3n").<br />
<br />
'''Bruteforcing HTTP Basic Authentication'''<br />
<br />
<pre><br />
raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt www.site.com http-head /private/<br />
Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.<br />
Hydra (http://www.thc.org) starting at 2009-07-04 18:15:17<br />
[DATA] 16 tasks, 1 servers, 1638 login tries (l:2/p:819), ~102 tries per task<br />
[DATA] attacking service http-head on port 80<br />
[STATUS] 792.00 tries/min, 792 tries in 00:01h, 846 todo in 00:02h<br />
[80][www] host: 10.0.0.1 login: owasp password: password<br />
[STATUS] attack finished for www.site.com (waiting for childs to finish)<br />
Hydra (http://www.thc.org) finished at 2009-07-04 18:16:34<br />
<br />
raven@blackbox /hydra $ <br />
</pre><br />
<br />
'''Bruteforcing HTML Form Based Authentication'''<br />
<br />
<pre><br />
raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt www.site.com https-post-form<br />
"/index.cgi:login&name=^USER^&password=^PASS^&login=Login:Not allowed" &<br />
<br />
Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.<br />
Hydra (http://www.thc.org)starting at 2009-07-04 19:16:17<br />
[DATA] 16 tasks, 1 servers, 1638 login tries (l:2/p:819), ~102 tries per task<br />
[DATA] attacking service http-post-form on port 443<br />
[STATUS] attack finished for wiki.intranet (waiting for childs to finish)<br />
[443] host: 10.0.0.1 login: owasp password: password<br />
[STATUS] attack finished for www.site.com (waiting for childs to finish)<br />
Hydra (http://www.thc.org) finished at 2009-07-04 19:18:34<br />
<br />
raven@blackbox /hydra $<br />
</pre><br />
<br />
== Gray Box testing and example == <br />
'''Partial knowledge of password and account details'''<br />
<br />
When an attacker has some information about lenght or password (account) structure, it's possible to perform a bruteforce attack with a higher probability of success. Infact, limiting the number of characters and defining the password lenght, the total number of password values significantly decreases.<br />
<br />
'''Memory Trade Off Attacks'''<br />
<br />
To perform a Memory Trade Off Attack is needed at least a password hash previously obtained by the attacker exploiting flaws in the application (e.g. SQL Injection) or sniffing http traffic. Nowadays the most commond attacks of this kind are based on Rainbow Tables, a special type of lookup table used in recovering the plaintext password from a ciphertext generated by a one-way hash.<br />
<br />
Rainbowtable is an optimization of Hellman's Memory Trade Off Attack, where the reduction algorithm is used to create chains with the purpose to compress the data output generated by computing all possible candidates.<br />
<br />
<pre>Tables are specific to the hash function they were created for e.g., MD5 tables can only crack MD5 hashes. <br />
The more powerful RainbowCrack program was later developed that can generate and use rainbow tables for a variety <br />
of character sets and hashing algorithms, including LM hash, MD5, SHA1, etc.</pre><br />
<br />
<br><br />
<br />
== References ==<br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
* Philippe Oechslin: Making a Faster Cryptanalytic Time-Memory Trade-Off - http://lasecwww.epfl.ch/pub/lasec/doc/Oech03.pdf<br />
'''Links'''<br><br />
* OPHCRACK (the time-memory-trade-off-cracker) - http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/<br />
* Rainbowcrack.com - http://www.rainbowcrack.com/<br />
* Project RainbowCrack - http://www.antsight.com/zsl/rainbowcrack/<br />
* milw0rm - http://www.milw0rm.com/cracker/list.php<br />
'''Tools'''<br><br />
* THC Hydra: http://www.thc.org/thc-hydra/<br />
* John the Ripper: http://www.openwall.com/john/<br />
* Brutus http://www.hoobie.net/brutus/<br />
<br><br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Brute_Force_(OWASP-AT-004)&diff=12348Testing for Brute Force (OWASP-AT-004)2006-11-11T16:35:30Z<p>Alombardini: /* References */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
Brute-forcing consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem's statement. In web application testing, the problem we are going to face with the most is very often connected with the need of having a valid user account to access the inner part of the application.<br />
Therefore we are going to check different types of authentication schema and the effectiveness of different brute-force attacks.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
A great majority of web applications provide a way for users to authenticate themselves. By having knowledge of user's identity it's possible to create protected areas or more generally, to have the application behave differently upon the logon of different users.<br />
Actually there are several methods for a user to authenticate to a system like certificates, biometric devices, OTP (One Time Password) tokens, but in web application we usually find a combination of user ID and password. Therefore it's possible to carry out an attack to retrieve a valid user account and password, by trying to enumerate many (ex. dictionary attack) or the whole space of possible candidates.<br />
<br />
After a successful bruteforce attack, a malicious user could have access to:<br />
<br />
* Confidential information / data;<br />
** Private sections of a web application, could disclose confidential documents, user's profile data, financial status, bank details, user's relationships, etc..<br />
<br />
* Administration panels;<br />
** These sections are used by webmasters to manage (modify, delete, add) web application content, manage user provisioning, assign different privileges to the users, etc..<br />
<br />
* Availability of further attack vectors;<br />
** Private sections of a web application could hide dangerous vulnerabilities and contain advanced functionalities not available to public users.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
To leverage different bruteforcing attacks it's important to discover the type of authentication method used by the application, because the techniques and the tools to be used may change.<br />
<br />
=== Discovery Authentication Methods ===<br />
<br />
Unless an entity decides to apply a sophisticated web authentication, the two most commonly see methods are as follows:<br />
<br />
* HTTP Authentication;<br />
** Basic Access Authentication<br />
** Digest Access Authentication<br />
* HTML Form-based Authentication;<br />
<br />
The following sections provide some good information on identifying the authentication mechanism employed during a blackbox test.<br />
<br />
<br />
'''HTTP authentication'''<br />
<br />
There are two native HTTP access authentication schemes available to an organisation – Basic and Digest. <br />
<br />
* Basic Access Authentication<br />
<br />
Basic Access Authentication assumes the client will identify themselves with a login name ("owasp") and password ("password"). When the client browser initially accesses a site using this scheme, the web server will reply with a 401 response containing a “WWW-Authenticate” tag containing a value of “Basic” and the name of the protected realm (e.g. WWW-Authenticate: Basic realm="wwwProtectedSite”). The client browser will then prompt the user for their login name and password for that realm. The client browser then responds to the web server with an “Authorization” tag, containing the value “Basic” and the base64-encoded concatenation of the login name, a colon, and the password (e.g. Authorization: Basic b3dhc3A6cGFzc3dvcmQ=). Unfortunately, the authentication reply can be easily decrypted should an attacker sniff the transmission.<br />
<br />
Request and Response Test:<br />
<br />
1. Client sends standard HTTP request for resource:<br />
<pre><br />
GET /members/docs/file.pdf HTTP/1.1<br />
Host: target<br />
</pre><br />
<br />
2. The web server states that the requested resource is located in a protected directory.<br />
<br />
3. Server Sends Response with HTTP 401 Authorization Required:<br />
<br />
<pre><br />
HTTP/1.1 401 Authorization Required<br />
Date: Sat, 04 Nov 2006 12:52:40 GMT<br />
WWW-Authenticate: Basic realm="User Realm"<br />
Content-Length: 401<br />
Keep-Alive: timeout=15, max=100<br />
Connection: Keep-Alive<br />
Content-Type: text/html; charset=iso-8859-1<br />
</pre><br />
<br />
4. Browser displays challenge pop-up for username and password data entry.<br />
<br />
5. Client Resubmits HTTP Request with credentials included:<br />
<br />
<pre><br />
GET /members/docs/file.pdf HTTP/1.1<br />
Host: target<br />
Authorization: Basic b3dhc3A6cGFzc3dvcmQ=<br />
</pre><br />
<br />
6. Server compares client information to its credentials list.<br />
<br />
7. If the credentials are valid the server sends the requested content. If authorization fails the server resends HTTP status code 401 in the response header. If the user clicks Cancel the browser will likely display an error message.<br />
<br />
<pre><br />
The string QWRtaW46Zm9vYmFy== symply base64 decodes as follows:<br />
Base64 Decoded : owasp:password<br />
</pre><br />
<br />
* Digest Access Authentication<br />
<br />
Digest Access Authentication expands upon the security of Basic Access Authentication by using a one-way cryptographic hashing algorithm (MD5) to encrypt authentication data and, secondly, adding a single use (connection unique) “nonce” value set by the web server. This value is used by the client browser in the calculation of a hashed password response. While the password is obscured by the use of the cryptographic hashing and the use of the nonce value precludes the threat of a replay attack, the login name is submitted in clear text.<br />
<br />
Request and Response Test:<br />
<br />
1. Here is an example of the initial Response header when handling an HTTP Digest target:<br />
<br />
<pre><br />
HTTP/1.1 401 Unauthorized<br />
WWW-Authenticate: Digest realm="OwaspSample", <br />
nonce="Ny8yLzIwMDIgMzoyNjoyNCBQTQ", <br />
opaque="0000000000000000", \<br />
stale=false, <br />
algorithm=MD5, <br />
qop="auth"<br />
</pre><br />
<br />
2. The Subsequent response headers with valid credentials would look like this:<br />
<br />
<pre><br />
GET /example/owasp/test.asmx HTTP/1.1<br />
Accept: */*<br />
Authorization: Digest username="owasp", <br />
realm="OwaspSample", <br />
qop="auth", <br />
algorithm="MD5", <br />
uri="/example/owasp/test.asmx", <br />
nonce="Ny8yLzIwMDIgMzoyNjoyNCBQTQ", <br />
nc=00000001, <br />
cnonce="c51b5139556f939768f770dab8e5277a", <br />
opaque="0000000000000000", <br />
response="2275a9ca7b2dadf252afc79923cd3823" <br />
</pre><br />
<br />
<br />
'''HTML Form-based Authentication'''<br />
<br />
However, while both HTTP access authentication schemes may appear suitable for commercial use over the Internet, particularly when used over an SSL encrypted session, many organisations have chosen to utilise custom HTML and application level authentication procedures in order to provide a more sophisticated authentication procedure.<br />
<br />
Source code taken from a HTML form:<br />
<br />
<pre><br />
<form method="POST" action="login"><br />
<input type="text" name"username"><br />
<input type="password" name="password"><br />
</form><br />
</pre><br />
<br />
=== Bruteforce Attacks ===<br />
<br />
After having listed the different types of authentication methods in web application, we will explain several bruteforce attacks which can be carried out.<br />
<br />
* Dictionary Attack<br />
Dictionary-based attacks consist of automated scripts and tools that will try to guess username and passwords from a dictionary file. Dictionary file can be tuned and compiled to cover words probably used by the owner of the account a malicious user is going to attack. <br />
The attacker can previously perform some investigations to understand user's interests, or build a list of all unique words available on the website.<br />
<br />
* Search Attacks<br />
Search attacks will try to cover all possible combination of a given character set and a given password lenght range. This kind of attack is very slow because the space of possible candidates is quite big. For example given a known user id, the total number of passwords to try up to 8 characters in lenght is equal to 26^(8!) in a lower alpha charset (more than 200 billions of different passwords!). <br />
<br />
* Rule-based search attacks<br />
To increase combination space coverage without slowing too much the process it's suggested to create good rules to generate candidates. <br />
For example "John the Ripper" can generate password variations from part of the username or modify through a preconfigured mask words in input (e.g. 1st round "pen" --> 2nd round "p3n" --> 3rd round "p3np3n").<br />
<br />
'''Bruteforcing HTTP Basic Authentication'''<br />
<br />
<pre><br />
raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt www.site.com http-head /private/<br />
Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.<br />
Hydra (http://www.thc.org) starting at 2009-07-04 18:15:17<br />
[DATA] 16 tasks, 1 servers, 1638 login tries (l:2/p:819), ~102 tries per task<br />
[DATA] attacking service http-head on port 80<br />
[STATUS] 792.00 tries/min, 792 tries in 00:01h, 846 todo in 00:02h<br />
[80][www] host: 10.0.0.1 login: owasp password: password<br />
[STATUS] attack finished for www.site.com (waiting for childs to finish)<br />
Hydra (http://www.thc.org) finished at 2009-07-04 18:16:34<br />
<br />
raven@blackbox /hydra $ <br />
</pre><br />
<br />
'''Bruteforcing HTML Form Based Authentication'''<br />
<br />
<pre><br />
raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt www.site.com https-post-form<br />
"/index.cgi:login&name=^USER^&password=^PASS^&login=Login:Not allowed" &<br />
<br />
Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.<br />
Hydra (http://www.thc.org)starting at 2009-07-04 19:16:17<br />
[DATA] 16 tasks, 1 servers, 1638 login tries (l:2/p:819), ~102 tries per task<br />
[DATA] attacking service http-post-form on port 443<br />
[STATUS] attack finished for wiki.intranet (waiting for childs to finish)<br />
[443] host: 10.0.0.1 login: owasp password: password<br />
[STATUS] attack finished for www.site.com (waiting for childs to finish)<br />
Hydra (http://www.thc.org) finished at 2009-07-04 19:18:34<br />
<br />
raven@blackbox /hydra $<br />
</pre><br />
<br />
== Gray Box testing and example == <br />
TD - Having Partial knowledge of password and account details (e.g. lenght or charset)<br />
<br />
TD - Memory Trade Off Attacks<br />
<br />
<br><br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
* OPHCRACK (the time-memory-trade-off-cracker) - http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/<br />
* Rainbowcrack.com - http://www.rainbowcrack.com/<br />
* Project RainbowCrack - http://www.antsight.com/zsl/rainbowcrack/<br />
'''Tools'''<br><br />
* THC Hydra: http://www.thc.org/thc-hydra/<br />
* John the Ripper: http://www.openwall.com/john/<br />
* Brutus http://www.hoobie.net/brutus/<br />
<br />
<br><br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Brute_Force_(OWASP-AT-004)&diff=12347Testing for Brute Force (OWASP-AT-004)2006-11-11T16:25:41Z<p>Alombardini: /* References */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
Brute-forcing consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem's statement. In web application testing, the problem we are going to face with the most is very often connected with the need of having a valid user account to access the inner part of the application.<br />
Therefore we are going to check different types of authentication schema and the effectiveness of different brute-force attacks.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
A great majority of web applications provide a way for users to authenticate themselves. By having knowledge of user's identity it's possible to create protected areas or more generally, to have the application behave differently upon the logon of different users.<br />
Actually there are several methods for a user to authenticate to a system like certificates, biometric devices, OTP (One Time Password) tokens, but in web application we usually find a combination of user ID and password. Therefore it's possible to carry out an attack to retrieve a valid user account and password, by trying to enumerate many (ex. dictionary attack) or the whole space of possible candidates.<br />
<br />
After a successful bruteforce attack, a malicious user could have access to:<br />
<br />
* Confidential information / data;<br />
** Private sections of a web application, could disclose confidential documents, user's profile data, financial status, bank details, user's relationships, etc..<br />
<br />
* Administration panels;<br />
** These sections are used by webmasters to manage (modify, delete, add) web application content, manage user provisioning, assign different privileges to the users, etc..<br />
<br />
* Availability of further attack vectors;<br />
** Private sections of a web application could hide dangerous vulnerabilities and contain advanced functionalities not available to public users.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
To leverage different bruteforcing attacks it's important to discover the type of authentication method used by the application, because the techniques and the tools to be used may change.<br />
<br />
=== Discovery Authentication Methods ===<br />
<br />
Unless an entity decides to apply a sophisticated web authentication, the two most commonly see methods are as follows:<br />
<br />
* HTTP Authentication;<br />
** Basic Access Authentication<br />
** Digest Access Authentication<br />
* HTML Form-based Authentication;<br />
<br />
The following sections provide some good information on identifying the authentication mechanism employed during a blackbox test.<br />
<br />
<br />
'''HTTP authentication'''<br />
<br />
There are two native HTTP access authentication schemes available to an organisation – Basic and Digest. <br />
<br />
* Basic Access Authentication<br />
<br />
Basic Access Authentication assumes the client will identify themselves with a login name ("owasp") and password ("password"). When the client browser initially accesses a site using this scheme, the web server will reply with a 401 response containing a “WWW-Authenticate” tag containing a value of “Basic” and the name of the protected realm (e.g. WWW-Authenticate: Basic realm="wwwProtectedSite”). The client browser will then prompt the user for their login name and password for that realm. The client browser then responds to the web server with an “Authorization” tag, containing the value “Basic” and the base64-encoded concatenation of the login name, a colon, and the password (e.g. Authorization: Basic b3dhc3A6cGFzc3dvcmQ=). Unfortunately, the authentication reply can be easily decrypted should an attacker sniff the transmission.<br />
<br />
Request and Response Test:<br />
<br />
1. Client sends standard HTTP request for resource:<br />
<pre><br />
GET /members/docs/file.pdf HTTP/1.1<br />
Host: target<br />
</pre><br />
<br />
2. The web server states that the requested resource is located in a protected directory.<br />
<br />
3. Server Sends Response with HTTP 401 Authorization Required:<br />
<br />
<pre><br />
HTTP/1.1 401 Authorization Required<br />
Date: Sat, 04 Nov 2006 12:52:40 GMT<br />
WWW-Authenticate: Basic realm="User Realm"<br />
Content-Length: 401<br />
Keep-Alive: timeout=15, max=100<br />
Connection: Keep-Alive<br />
Content-Type: text/html; charset=iso-8859-1<br />
</pre><br />
<br />
4. Browser displays challenge pop-up for username and password data entry.<br />
<br />
5. Client Resubmits HTTP Request with credentials included:<br />
<br />
<pre><br />
GET /members/docs/file.pdf HTTP/1.1<br />
Host: target<br />
Authorization: Basic b3dhc3A6cGFzc3dvcmQ=<br />
</pre><br />
<br />
6. Server compares client information to its credentials list.<br />
<br />
7. If the credentials are valid the server sends the requested content. If authorization fails the server resends HTTP status code 401 in the response header. If the user clicks Cancel the browser will likely display an error message.<br />
<br />
<pre><br />
The string QWRtaW46Zm9vYmFy== symply base64 decodes as follows:<br />
Base64 Decoded : owasp:password<br />
</pre><br />
<br />
* Digest Access Authentication<br />
<br />
Digest Access Authentication expands upon the security of Basic Access Authentication by using a one-way cryptographic hashing algorithm (MD5) to encrypt authentication data and, secondly, adding a single use (connection unique) “nonce” value set by the web server. This value is used by the client browser in the calculation of a hashed password response. While the password is obscured by the use of the cryptographic hashing and the use of the nonce value precludes the threat of a replay attack, the login name is submitted in clear text.<br />
<br />
Request and Response Test:<br />
<br />
1. Here is an example of the initial Response header when handling an HTTP Digest target:<br />
<br />
<pre><br />
HTTP/1.1 401 Unauthorized<br />
WWW-Authenticate: Digest realm="OwaspSample", <br />
nonce="Ny8yLzIwMDIgMzoyNjoyNCBQTQ", <br />
opaque="0000000000000000", \<br />
stale=false, <br />
algorithm=MD5, <br />
qop="auth"<br />
</pre><br />
<br />
2. The Subsequent response headers with valid credentials would look like this:<br />
<br />
<pre><br />
GET /example/owasp/test.asmx HTTP/1.1<br />
Accept: */*<br />
Authorization: Digest username="owasp", <br />
realm="OwaspSample", <br />
qop="auth", <br />
algorithm="MD5", <br />
uri="/example/owasp/test.asmx", <br />
nonce="Ny8yLzIwMDIgMzoyNjoyNCBQTQ", <br />
nc=00000001, <br />
cnonce="c51b5139556f939768f770dab8e5277a", <br />
opaque="0000000000000000", <br />
response="2275a9ca7b2dadf252afc79923cd3823" <br />
</pre><br />
<br />
<br />
'''HTML Form-based Authentication'''<br />
<br />
However, while both HTTP access authentication schemes may appear suitable for commercial use over the Internet, particularly when used over an SSL encrypted session, many organisations have chosen to utilise custom HTML and application level authentication procedures in order to provide a more sophisticated authentication procedure.<br />
<br />
Source code taken from a HTML form:<br />
<br />
<pre><br />
<form method="POST" action="login"><br />
<input type="text" name"username"><br />
<input type="password" name="password"><br />
</form><br />
</pre><br />
<br />
=== Bruteforce Attacks ===<br />
<br />
After having listed the different types of authentication methods in web application, we will explain several bruteforce attacks which can be carried out.<br />
<br />
* Dictionary Attack<br />
Dictionary-based attacks consist of automated scripts and tools that will try to guess username and passwords from a dictionary file. Dictionary file can be tuned and compiled to cover words probably used by the owner of the account a malicious user is going to attack. <br />
The attacker can previously perform some investigations to understand user's interests, or build a list of all unique words available on the website.<br />
<br />
* Search Attacks<br />
Search attacks will try to cover all possible combination of a given character set and a given password lenght range. This kind of attack is very slow because the space of possible candidates is quite big. For example given a known user id, the total number of passwords to try up to 8 characters in lenght is equal to 26^(8!) in a lower alpha charset (more than 200 billions of different passwords!). <br />
<br />
* Rule-based search attacks<br />
To increase combination space coverage without slowing too much the process it's suggested to create good rules to generate candidates. <br />
For example "John the Ripper" can generate password variations from part of the username or modify through a preconfigured mask words in input (e.g. 1st round "pen" --> 2nd round "p3n" --> 3rd round "p3np3n").<br />
<br />
'''Bruteforcing HTTP Basic Authentication'''<br />
<br />
<pre><br />
raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt www.site.com http-head /private/<br />
Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.<br />
Hydra (http://www.thc.org) starting at 2009-07-04 18:15:17<br />
[DATA] 16 tasks, 1 servers, 1638 login tries (l:2/p:819), ~102 tries per task<br />
[DATA] attacking service http-head on port 80<br />
[STATUS] 792.00 tries/min, 792 tries in 00:01h, 846 todo in 00:02h<br />
[80][www] host: 10.0.0.1 login: owasp password: password<br />
[STATUS] attack finished for www.site.com (waiting for childs to finish)<br />
Hydra (http://www.thc.org) finished at 2009-07-04 18:16:34<br />
<br />
raven@blackbox /hydra $ <br />
</pre><br />
<br />
'''Bruteforcing HTML Form Based Authentication'''<br />
<br />
<pre><br />
raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt www.site.com https-post-form<br />
"/index.cgi:login&name=^USER^&password=^PASS^&login=Login:Not allowed" &<br />
<br />
Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.<br />
Hydra (http://www.thc.org)starting at 2009-07-04 19:16:17<br />
[DATA] 16 tasks, 1 servers, 1638 login tries (l:2/p:819), ~102 tries per task<br />
[DATA] attacking service http-post-form on port 443<br />
[STATUS] attack finished for wiki.intranet (waiting for childs to finish)<br />
[443] host: 10.0.0.1 login: owasp password: password<br />
[STATUS] attack finished for www.site.com (waiting for childs to finish)<br />
Hydra (http://www.thc.org) finished at 2009-07-04 19:18:34<br />
<br />
raven@blackbox /hydra $<br />
</pre><br />
<br />
== Gray Box testing and example == <br />
TD - Having Partial knowledge of password and account details (e.g. lenght or charset)<br />
<br />
TD - Memory Trade Off Attacks<br />
<br />
<br><br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
<br />
'''Tools'''<br><br />
* THC Hydra: http://www.thc.org/thc-hydra/<br />
* John the Ripper: http://www.openwall.com/john/<br />
* Brutus http://www.hoobie.net/brutus/<br />
<br />
<br><br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)&diff=12344Testing for Bypassing Authentication Schema (OTG-AUTHN-004)2006-11-11T15:52:32Z<p>Alombardini: /* References */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br />
While most most application require authentication for gaining access to private information or tasks, not every authentication method is able to provide adequate security level.<br />
<br />
Negligence, ignorance or simple understatement of the security threats often result in authentication schemes that can be easily bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.<br />
<br />
In addition to this it is often possible to bypass compulsory authentication tampering with requests and tricking the application into thinking that we're already authenticated either by modifying the given URL parameter or by manipulating form or by counterfeiting sessions.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br />
Problems related to Authentication Schema could be found at different stages of software development life cycle (SDLC), like design, development and deployment phase.<br />
<br />
Examples of '''design errors''' include a wrong definition of application parts to be protected, the choice of not applying strong encryption protocols for securing authentication data exchange, and many more.<br />
<br />
'''Problems in development''' phase are for example the incorrect implementation of input validation functionalities, or not following the security best practices for the specific language.<br />
<br />
In addition there are '''issues during application setup''' (Installation and configuration activities) due to a lack in required technical skills, or due to poor documentation available.<br />
<br><br />
<br />
== Black Box testing and example ==<br />
There are several methods to bypass the authentication schema in use by a web application:<br />
* Direct page request<br />
* Parameter Modification<br />
* Session ID Prediction<br />
* Sql Injection<br />
<br />
<br><br />
'''Direct page request'''<br />
<br />
Several web applications implement access control only inside the login page, otherwise if a user requests directly a different page in the designed protected area, the authentication schema could be bypassed.<br />
<br />
<br />
[[Image:basm-directreq.jpg]]<br />
<br />
<br />
'''Parameter Modification'''<br />
<br />
Another problem related to authentication design is to let the application verify a succesful login upon fixed value parameters.<br />
Therefore a user could modify these parameters to gain access to the protected areas without providing valid credentials.<br />
<br />
<pre>http://www.site.com/page.asp?authenticated=no </pre><br />
<br />
<pre>raven@blackbox /home $nc www.site.com 80 <br />
GET /page.asp?authenticated=yes HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Date: Sat, 11 Nov 2006 10:22:44 GMT <br />
Server: Apache <br />
Connection: close <br />
Content-Type: text/html; charset=iso-8859-1 <br />
<br />
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <br />
<HTML><HEAD> <br />
</HEAD><BODY> <br />
<H1>You Are Auhtenticated</H1> <br />
</BODY></HTML></pre><br />
<br />
<br />
[[Image:basm-parammod.jpg]]<br />
<br />
<br />
'''Session ID Prediction'''<br />
<br />
Many web applications manage authentication using session identification values(SESSION ID). Therefore if Session ID generation is predictable a malicious user could be able to find a valid session ID and gain unauthorized access to the application, impersonating a previously authenticated user.<br />
<br />
In the following figure values inside cookies increase linearly, so could be easy for an attacker to guess a valid session ID.<br />
<br />
<br />
[[Image:basm-sessid.jpg]]<br />
<br />
<br />
In the following figure values inside cookies change only partially, so it's possible to restrict a bruteforce attack to the defined fields shown below.<br />
<br />
<br />
[[Image:basm-sessid2.jpg]]<br />
<br />
<br />
<br />
'''Sql Injection (HTML Form Authentication)'''<br />
<br />
SQL Injection is a widely known range of techniques. We are not going to describe this technique into detail, because it's possible to find many dedicated paragraphs in Owasp Testing Guide for either common and advanced readers.<br />
<br />
<br />
[[Image:basm-sqlinj.jpg]]<br />
<br />
<br />
The following figure shows that with simple sql injection it's possible to bypass the authentication form.<br />
The Example is obfuscated because it's part of OWASP WebGoat suite, and to let the reader experiment by himself without knowing the solution.<br />
<br />
<br />
[[Image:basm-sqlinj2.gif]]<br />
<br />
<br><br />
<br />
== Gray Box testing and example == <br />
In the case an attacker has been able to retrieve the application source code by exploiting a previosly discovered vulnerability (e.g. directory traversal), or from a web repository (Open Source Applications), could be possible to perform refined attacks against the implementation of the authentication process.<br />
<br />
In the following example (PHPBB 2.0.13 - Authentication Bypass Vulnerability), at line 5 unserialize() function parse user supplied cookie and set values inside $row array. At line 10 user md5 password hash stored inside the backend database is compared to the one supplied.<br />
<br />
<pre>1. if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) ||<br />
2. {<br />
3. $sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . '_data'] ) ?<br />
4. <br />
5. unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();<br />
6. <br />
7. $sessionmethod = SESSION_METHOD_COOKIE;<br />
8. }<br />
9. <br />
10. if( md5($password) == $row['user_password'] && $row['user_active'] )<br />
11. <br />
12. {<br />
13. $autologin = ( isset($HTTP_POST_VARS['autologin']) ) ? TRUE : 0;<br />
14. }</pre><br />
<br />
In PHP a comparison between a string value and a boolean value (1 - "TRUE") is always "TRUE", so supplying the following string (important part is "b:1") to the userialize() function is possible to bypass the authentication control:<br />
<br />
<pre>a:2:{s:11:"autologinid";b:1;s:6:"userid";s:1:"2";}</pre><br />
<br><br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
<br><br />
'''Tools'''<br><br />
* WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br />
* WebGoat: http://www.owasp.org/index.php/OWASP_WebGoat_Project<br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)&diff=12343Testing for Bypassing Authentication Schema (OTG-AUTHN-004)2006-11-11T15:52:06Z<p>Alombardini: /* Black Box testing and example */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br />
While most most application require authentication for gaining access to private information or tasks, not every authentication method is able to provide adequate security level.<br />
<br />
Negligence, ignorance or simple understatement of the security threats often result in authentication schemes that can be easily bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.<br />
<br />
In addition to this it is often possible to bypass compulsory authentication tampering with requests and tricking the application into thinking that we're already authenticated either by modifying the given URL parameter or by manipulating form or by counterfeiting sessions.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br />
Problems related to Authentication Schema could be found at different stages of software development life cycle (SDLC), like design, development and deployment phase.<br />
<br />
Examples of '''design errors''' include a wrong definition of application parts to be protected, the choice of not applying strong encryption protocols for securing authentication data exchange, and many more.<br />
<br />
'''Problems in development''' phase are for example the incorrect implementation of input validation functionalities, or not following the security best practices for the specific language.<br />
<br />
In addition there are '''issues during application setup''' (Installation and configuration activities) due to a lack in required technical skills, or due to poor documentation available.<br />
<br><br />
<br />
== Black Box testing and example ==<br />
There are several methods to bypass the authentication schema in use by a web application:<br />
* Direct page request<br />
* Parameter Modification<br />
* Session ID Prediction<br />
* Sql Injection<br />
<br />
<br><br />
'''Direct page request'''<br />
<br />
Several web applications implement access control only inside the login page, otherwise if a user requests directly a different page in the designed protected area, the authentication schema could be bypassed.<br />
<br />
<br />
[[Image:basm-directreq.jpg]]<br />
<br />
<br />
'''Parameter Modification'''<br />
<br />
Another problem related to authentication design is to let the application verify a succesful login upon fixed value parameters.<br />
Therefore a user could modify these parameters to gain access to the protected areas without providing valid credentials.<br />
<br />
<pre>http://www.site.com/page.asp?authenticated=no </pre><br />
<br />
<pre>raven@blackbox /home $nc www.site.com 80 <br />
GET /page.asp?authenticated=yes HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Date: Sat, 11 Nov 2006 10:22:44 GMT <br />
Server: Apache <br />
Connection: close <br />
Content-Type: text/html; charset=iso-8859-1 <br />
<br />
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <br />
<HTML><HEAD> <br />
</HEAD><BODY> <br />
<H1>You Are Auhtenticated</H1> <br />
</BODY></HTML></pre><br />
<br />
<br />
[[Image:basm-parammod.jpg]]<br />
<br />
<br />
'''Session ID Prediction'''<br />
<br />
Many web applications manage authentication using session identification values(SESSION ID). Therefore if Session ID generation is predictable a malicious user could be able to find a valid session ID and gain unauthorized access to the application, impersonating a previously authenticated user.<br />
<br />
In the following figure values inside cookies increase linearly, so could be easy for an attacker to guess a valid session ID.<br />
<br />
<br />
[[Image:basm-sessid.jpg]]<br />
<br />
<br />
In the following figure values inside cookies change only partially, so it's possible to restrict a bruteforce attack to the defined fields shown below.<br />
<br />
<br />
[[Image:basm-sessid2.jpg]]<br />
<br />
<br />
<br />
'''Sql Injection (HTML Form Authentication)'''<br />
<br />
SQL Injection is a widely known range of techniques. We are not going to describe this technique into detail, because it's possible to find many dedicated paragraphs in Owasp Testing Guide for either common and advanced readers.<br />
<br />
<br />
[[Image:basm-sqlinj.jpg]]<br />
<br />
<br />
The following figure shows that with simple sql injection it's possible to bypass the authentication form.<br />
The Example is obfuscated because it's part of OWASP WebGoat suite, and to let the reader experiment by himself without knowing the solution.<br />
<br />
<br />
[[Image:basm-sqlinj2.gif]]<br />
<br />
<br><br />
<br />
== Gray Box testing and example == <br />
In the case an attacker has been able to retrieve the application source code by exploiting a previosly discovered vulnerability (e.g. directory traversal), or from a web repository (Open Source Applications), could be possible to perform refined attacks against the implementation of the authentication process.<br />
<br />
In the following example (PHPBB 2.0.13 - Authentication Bypass Vulnerability), at line 5 unserialize() function parse user supplied cookie and set values inside $row array. At line 10 user md5 password hash stored inside the backend database is compared to the one supplied.<br />
<br />
<pre>1. if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) ||<br />
2. {<br />
3. $sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . '_data'] ) ?<br />
4. <br />
5. unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();<br />
6. <br />
7. $sessionmethod = SESSION_METHOD_COOKIE;<br />
8. }<br />
9. <br />
10. if( md5($password) == $row['user_password'] && $row['user_active'] )<br />
11. <br />
12. {<br />
13. $autologin = ( isset($HTTP_POST_VARS['autologin']) ) ? TRUE : 0;<br />
14. }</pre><br />
<br />
In PHP a comparison between a string value and a boolean value (1 - "TRUE") is always "TRUE", so supplying the following string (important part is "b:1") to the userialize() function is possible to bypass the authentication control:<br />
<br />
<pre>a:2:{s:11:"autologinid";b:1;s:6:"userid";s:1:"2";}</pre><br />
<br><br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
* WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br />
* WebGoat: http://www.owasp.org/index.php/OWASP_WebGoat_Project<br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)&diff=12342Testing for Bypassing Authentication Schema (OTG-AUTHN-004)2006-11-11T15:51:28Z<p>Alombardini: /* Description of the Issue */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br />
While most most application require authentication for gaining access to private information or tasks, not every authentication method is able to provide adequate security level.<br />
<br />
Negligence, ignorance or simple understatement of the security threats often result in authentication schemes that can be easily bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.<br />
<br />
In addition to this it is often possible to bypass compulsory authentication tampering with requests and tricking the application into thinking that we're already authenticated either by modifying the given URL parameter or by manipulating form or by counterfeiting sessions.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br />
Problems related to Authentication Schema could be found at different stages of software development life cycle (SDLC), like design, development and deployment phase.<br />
<br />
Examples of '''design errors''' include a wrong definition of application parts to be protected, the choice of not applying strong encryption protocols for securing authentication data exchange, and many more.<br />
<br />
'''Problems in development''' phase are for example the incorrect implementation of input validation functionalities, or not following the security best practices for the specific language.<br />
<br />
In addition there are '''issues during application setup''' (Installation and configuration activities) due to a lack in required technical skills, or due to poor documentation available.<br />
<br><br />
<br />
== Black Box testing and example ==<br />
There are several methods to bypass the authentication schema in use by a web application:<br />
* Direct page request<br />
* Parameter Modification<br />
* Session ID Prediction<br />
* Session Fixation<br />
* Sql Injection<br />
<br />
<br><br />
'''Direct page request'''<br />
<br />
Several web applications implement access control only inside the login page, otherwise if a user requests directly a different page in the designed protected area, the authentication schema could be bypassed.<br />
<br />
<br />
[[Image:basm-directreq.jpg]]<br />
<br />
<br />
'''Parameter Modification'''<br />
<br />
Another problem related to authentication design is to let the application verify a succesful login upon fixed value parameters.<br />
Therefore a user could modify these parameters to gain access to the protected areas without providing valid credentials.<br />
<br />
<pre>http://www.site.com/page.asp?authenticated=no </pre><br />
<br />
<pre>raven@blackbox /home $nc www.site.com 80 <br />
GET /page.asp?authenticated=yes HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Date: Sat, 11 Nov 2006 10:22:44 GMT <br />
Server: Apache <br />
Connection: close <br />
Content-Type: text/html; charset=iso-8859-1 <br />
<br />
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <br />
<HTML><HEAD> <br />
</HEAD><BODY> <br />
<H1>You Are Auhtenticated</H1> <br />
</BODY></HTML></pre><br />
<br />
<br />
[[Image:basm-parammod.jpg]]<br />
<br />
<br />
'''Session ID Prediction'''<br />
<br />
Many web applications manage authentication using session identification values(SESSION ID). Therefore if Session ID generation is predictable a malicious user could be able to find a valid session ID and gain unauthorized access to the application, impersonating a previously authenticated user.<br />
<br />
In the following figure values inside cookies increase linearly, so could be easy for an attacker to guess a valid session ID.<br />
<br />
<br />
[[Image:basm-sessid.jpg]]<br />
<br />
<br />
In the following figure values inside cookies change only partially, so it's possible to restrict a bruteforce attack to the defined fields shown below.<br />
<br />
<br />
[[Image:basm-sessid2.jpg]]<br />
<br />
<br />
<br />
'''Sql Injection (HTML Form Authentication)'''<br />
<br />
SQL Injection is a widely known range of techniques. We are not going to describe this technique into detail, because it's possible to find many dedicated paragraphs in Owasp Testing Guide for either common and advanced readers.<br />
<br />
<br />
[[Image:basm-sqlinj.jpg]]<br />
<br />
<br />
The following figure shows that with simple sql injection it's possible to bypass the authentication form.<br />
The Example is obfuscated because it's part of OWASP WebGoat suite, and to let the reader experiment by himself without knowing the solution.<br />
<br />
<br />
[[Image:basm-sqlinj2.gif]]<br />
<br />
<br><br />
<br />
== Gray Box testing and example == <br />
In the case an attacker has been able to retrieve the application source code by exploiting a previosly discovered vulnerability (e.g. directory traversal), or from a web repository (Open Source Applications), could be possible to perform refined attacks against the implementation of the authentication process.<br />
<br />
In the following example (PHPBB 2.0.13 - Authentication Bypass Vulnerability), at line 5 unserialize() function parse user supplied cookie and set values inside $row array. At line 10 user md5 password hash stored inside the backend database is compared to the one supplied.<br />
<br />
<pre>1. if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) ||<br />
2. {<br />
3. $sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . '_data'] ) ?<br />
4. <br />
5. unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();<br />
6. <br />
7. $sessionmethod = SESSION_METHOD_COOKIE;<br />
8. }<br />
9. <br />
10. if( md5($password) == $row['user_password'] && $row['user_active'] )<br />
11. <br />
12. {<br />
13. $autologin = ( isset($HTTP_POST_VARS['autologin']) ) ? TRUE : 0;<br />
14. }</pre><br />
<br />
In PHP a comparison between a string value and a boolean value (1 - "TRUE") is always "TRUE", so supplying the following string (important part is "b:1") to the userialize() function is possible to bypass the authentication control:<br />
<br />
<pre>a:2:{s:11:"autologinid";b:1;s:6:"userid";s:1:"2";}</pre><br />
<br><br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
* WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br />
* WebGoat: http://www.owasp.org/index.php/OWASP_WebGoat_Project<br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)&diff=12341Testing for Bypassing Authentication Schema (OTG-AUTHN-004)2006-11-11T15:50:50Z<p>Alombardini: /* Brief Summary */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br />
While most most application require authentication for gaining access to private information or tasks, not every authentication method is able to provide adequate security level.<br />
<br />
Negligence, ignorance or simple understatement of the security threats often result in authentication schemes that can be easily bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.<br />
<br />
In addition to this it is often possible to bypass compulsory authentication tampering with requests and tricking the application into thinking that we're already authenticated either by modifying the given URL parameter or by manipulating form or by counterfeiting sessions.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
Problems related to Authentication Schema could be found at different stages of software development life cycle (SDLC), like design, development and deployment phase.<br><br><br />
Examples of '''design errors''' include a wrong definition of application parts to be protected, the choice of not applying strong encryption protocols for securing authentication data exchange, and many more.<br><br><br />
'''Problems in development''' phase are for example the incorrect implementation of input validation functionalities, or not following the security best practices for the specific language.<br><br><br />
In addition there are '''issues during application setup''' (Installation and configuration activities) due to a lack in required technical skills, or due to poor documentation available.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
There are several methods to bypass the authentication schema in use by a web application:<br />
* Direct page request<br />
* Parameter Modification<br />
* Session ID Prediction<br />
* Session Fixation<br />
* Sql Injection<br />
<br />
<br><br />
'''Direct page request'''<br />
<br />
Several web applications implement access control only inside the login page, otherwise if a user requests directly a different page in the designed protected area, the authentication schema could be bypassed.<br />
<br />
<br />
[[Image:basm-directreq.jpg]]<br />
<br />
<br />
'''Parameter Modification'''<br />
<br />
Another problem related to authentication design is to let the application verify a succesful login upon fixed value parameters.<br />
Therefore a user could modify these parameters to gain access to the protected areas without providing valid credentials.<br />
<br />
<pre>http://www.site.com/page.asp?authenticated=no </pre><br />
<br />
<pre>raven@blackbox /home $nc www.site.com 80 <br />
GET /page.asp?authenticated=yes HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Date: Sat, 11 Nov 2006 10:22:44 GMT <br />
Server: Apache <br />
Connection: close <br />
Content-Type: text/html; charset=iso-8859-1 <br />
<br />
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <br />
<HTML><HEAD> <br />
</HEAD><BODY> <br />
<H1>You Are Auhtenticated</H1> <br />
</BODY></HTML></pre><br />
<br />
<br />
[[Image:basm-parammod.jpg]]<br />
<br />
<br />
'''Session ID Prediction'''<br />
<br />
Many web applications manage authentication using session identification values(SESSION ID). Therefore if Session ID generation is predictable a malicious user could be able to find a valid session ID and gain unauthorized access to the application, impersonating a previously authenticated user.<br />
<br />
In the following figure values inside cookies increase linearly, so could be easy for an attacker to guess a valid session ID.<br />
<br />
<br />
[[Image:basm-sessid.jpg]]<br />
<br />
<br />
In the following figure values inside cookies change only partially, so it's possible to restrict a bruteforce attack to the defined fields shown below.<br />
<br />
<br />
[[Image:basm-sessid2.jpg]]<br />
<br />
<br />
<br />
'''Sql Injection (HTML Form Authentication)'''<br />
<br />
SQL Injection is a widely known range of techniques. We are not going to describe this technique into detail, because it's possible to find many dedicated paragraphs in Owasp Testing Guide for either common and advanced readers.<br />
<br />
<br />
[[Image:basm-sqlinj.jpg]]<br />
<br />
<br />
The following figure shows that with simple sql injection it's possible to bypass the authentication form.<br />
The Example is obfuscated because it's part of OWASP WebGoat suite, and to let the reader experiment by himself without knowing the solution.<br />
<br />
<br />
[[Image:basm-sqlinj2.gif]]<br />
<br />
<br><br />
<br />
== Gray Box testing and example == <br />
In the case an attacker has been able to retrieve the application source code by exploiting a previosly discovered vulnerability (e.g. directory traversal), or from a web repository (Open Source Applications), could be possible to perform refined attacks against the implementation of the authentication process.<br />
<br />
In the following example (PHPBB 2.0.13 - Authentication Bypass Vulnerability), at line 5 unserialize() function parse user supplied cookie and set values inside $row array. At line 10 user md5 password hash stored inside the backend database is compared to the one supplied.<br />
<br />
<pre>1. if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) ||<br />
2. {<br />
3. $sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . '_data'] ) ?<br />
4. <br />
5. unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();<br />
6. <br />
7. $sessionmethod = SESSION_METHOD_COOKIE;<br />
8. }<br />
9. <br />
10. if( md5($password) == $row['user_password'] && $row['user_active'] )<br />
11. <br />
12. {<br />
13. $autologin = ( isset($HTTP_POST_VARS['autologin']) ) ? TRUE : 0;<br />
14. }</pre><br />
<br />
In PHP a comparison between a string value and a boolean value (1 - "TRUE") is always "TRUE", so supplying the following string (important part is "b:1") to the userialize() function is possible to bypass the authentication control:<br />
<br />
<pre>a:2:{s:11:"autologinid";b:1;s:6:"userid";s:1:"2";}</pre><br />
<br><br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
* WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br />
* WebGoat: http://www.owasp.org/index.php/OWASP_WebGoat_Project<br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)&diff=12340Testing for Bypassing Authentication Schema (OTG-AUTHN-004)2006-11-11T15:50:09Z<p>Alombardini: /* Black Box testing and example */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
While most most application require authentication for gaining access to private information or tasks, not every authentication method is able to provide adequate security level.<br><br><br />
Negligence, ignorance or simple understatement of the security threats often result in authentication schemes that can be easily bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.<br><br><br />
In addition to this it is often possible to bypass compulsory authentication tampering with requests and tricking the application into thinking that we're already authenticated either by modifying the given URL parameter or by manipulating form or by counterfeiting sessions.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
Problems related to Authentication Schema could be found at different stages of software development life cycle (SDLC), like design, development and deployment phase.<br><br><br />
Examples of '''design errors''' include a wrong definition of application parts to be protected, the choice of not applying strong encryption protocols for securing authentication data exchange, and many more.<br><br><br />
'''Problems in development''' phase are for example the incorrect implementation of input validation functionalities, or not following the security best practices for the specific language.<br><br><br />
In addition there are '''issues during application setup''' (Installation and configuration activities) due to a lack in required technical skills, or due to poor documentation available.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
There are several methods to bypass the authentication schema in use by a web application:<br />
* Direct page request<br />
* Parameter Modification<br />
* Session ID Prediction<br />
* Session Fixation<br />
* Sql Injection<br />
<br />
<br><br />
'''Direct page request'''<br />
<br />
Several web applications implement access control only inside the login page, otherwise if a user requests directly a different page in the designed protected area, the authentication schema could be bypassed.<br />
<br />
<br />
[[Image:basm-directreq.jpg]]<br />
<br />
<br />
'''Parameter Modification'''<br />
<br />
Another problem related to authentication design is to let the application verify a succesful login upon fixed value parameters.<br />
Therefore a user could modify these parameters to gain access to the protected areas without providing valid credentials.<br />
<br />
<pre>http://www.site.com/page.asp?authenticated=no </pre><br />
<br />
<pre>raven@blackbox /home $nc www.site.com 80 <br />
GET /page.asp?authenticated=yes HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Date: Sat, 11 Nov 2006 10:22:44 GMT <br />
Server: Apache <br />
Connection: close <br />
Content-Type: text/html; charset=iso-8859-1 <br />
<br />
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <br />
<HTML><HEAD> <br />
</HEAD><BODY> <br />
<H1>You Are Auhtenticated</H1> <br />
</BODY></HTML></pre><br />
<br />
<br />
[[Image:basm-parammod.jpg]]<br />
<br />
<br />
'''Session ID Prediction'''<br />
<br />
Many web applications manage authentication using session identification values(SESSION ID). Therefore if Session ID generation is predictable a malicious user could be able to find a valid session ID and gain unauthorized access to the application, impersonating a previously authenticated user.<br />
<br />
In the following figure values inside cookies increase linearly, so could be easy for an attacker to guess a valid session ID.<br />
<br />
<br />
[[Image:basm-sessid.jpg]]<br />
<br />
<br />
In the following figure values inside cookies change only partially, so it's possible to restrict a bruteforce attack to the defined fields shown below.<br />
<br />
<br />
[[Image:basm-sessid2.jpg]]<br />
<br />
<br />
<br />
'''Sql Injection (HTML Form Authentication)'''<br />
<br />
SQL Injection is a widely known range of techniques. We are not going to describe this technique into detail, because it's possible to find many dedicated paragraphs in Owasp Testing Guide for either common and advanced readers.<br />
<br />
<br />
[[Image:basm-sqlinj.jpg]]<br />
<br />
<br />
The following figure shows that with simple sql injection it's possible to bypass the authentication form.<br />
The Example is obfuscated because it's part of OWASP WebGoat suite, and to let the reader experiment by himself without knowing the solution.<br />
<br />
<br />
[[Image:basm-sqlinj2.gif]]<br />
<br />
<br><br />
<br />
== Gray Box testing and example == <br />
In the case an attacker has been able to retrieve the application source code by exploiting a previosly discovered vulnerability (e.g. directory traversal), or from a web repository (Open Source Applications), could be possible to perform refined attacks against the implementation of the authentication process.<br />
<br />
In the following example (PHPBB 2.0.13 - Authentication Bypass Vulnerability), at line 5 unserialize() function parse user supplied cookie and set values inside $row array. At line 10 user md5 password hash stored inside the backend database is compared to the one supplied.<br />
<br />
<pre>1. if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) ||<br />
2. {<br />
3. $sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . '_data'] ) ?<br />
4. <br />
5. unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();<br />
6. <br />
7. $sessionmethod = SESSION_METHOD_COOKIE;<br />
8. }<br />
9. <br />
10. if( md5($password) == $row['user_password'] && $row['user_active'] )<br />
11. <br />
12. {<br />
13. $autologin = ( isset($HTTP_POST_VARS['autologin']) ) ? TRUE : 0;<br />
14. }</pre><br />
<br />
In PHP a comparison between a string value and a boolean value (1 - "TRUE") is always "TRUE", so supplying the following string (important part is "b:1") to the userialize() function is possible to bypass the authentication control:<br />
<br />
<pre>a:2:{s:11:"autologinid";b:1;s:6:"userid";s:1:"2";}</pre><br />
<br><br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
* WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br />
* WebGoat: http://www.owasp.org/index.php/OWASP_WebGoat_Project<br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)&diff=12339Testing for Bypassing Authentication Schema (OTG-AUTHN-004)2006-11-11T15:47:53Z<p>Alombardini: /* Black Box testing and example */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
While most most application require authentication for gaining access to private information or tasks, not every authentication method is able to provide adequate security level.<br><br><br />
Negligence, ignorance or simple understatement of the security threats often result in authentication schemes that can be easily bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.<br><br><br />
In addition to this it is often possible to bypass compulsory authentication tampering with requests and tricking the application into thinking that we're already authenticated either by modifying the given URL parameter or by manipulating form or by counterfeiting sessions.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
Problems related to Authentication Schema could be found at different stages of software development life cycle (SDLC), like design, development and deployment phase.<br><br><br />
Examples of '''design errors''' include a wrong definition of application parts to be protected, the choice of not applying strong encryption protocols for securing authentication data exchange, and many more.<br><br><br />
'''Problems in development''' phase are for example the incorrect implementation of input validation functionalities, or not following the security best practices for the specific language.<br><br><br />
In addition there are '''issues during application setup''' (Installation and configuration activities) due to a lack in required technical skills, or due to poor documentation available.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
There are several methods to bypass the authentication schema in use by a web application:<br />
* Direct page request<br />
* Parameter Modification<br />
* Session ID Prediction<br />
* Session Fixation<br />
* Sql Injection<br />
<br />
<br><br />
'''Direct page request'''<br />
<br />
Several web applications implement access control only inside the login page, otherwise if a user requests directly a different page in the designed protected area, the authentication schema could be bypassed.<br />
<br />
[[Image:basm-directreq.jpg]]<br />
<br />
<br />
'''Parameter Modification'''<br />
<br />
<br />
Another problem related to authentication design is to let the application verify a succesful login upon fixed value parameters.<br />
Therefore a user could modify these parameters to gain access to the protected areas without providing valid credentials.<br />
<br />
<pre>http://www.site.com/page.asp?authenticated=no </pre><br />
<br />
<pre>raven@blackbox /home $nc www.site.com 80 <br />
GET /page.asp?authenticated=yes HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Date: Sat, 11 Nov 2006 10:22:44 GMT <br />
Server: Apache <br />
Connection: close <br />
Content-Type: text/html; charset=iso-8859-1 <br />
<br />
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <br />
<HTML><HEAD> <br />
</HEAD><BODY> <br />
<H1>You Are Auhtenticated</H1> <br />
</BODY></HTML></pre><br />
<br />
[[Image:basm-parammod.jpg]]<br />
<br />
<br />
'''Session ID Prediction'''<br />
Many web applications manage authentication using session identification values(SESSION ID). Therefore if Session ID generation is predictable a malicious user could be able to find a valid session ID and gain unauthorized access to the application, impersonating a previously authenticated user.<br />
<br />
In the following figure values inside cookies increase linearly, so could be easy for an attacker to guess a valid session ID.<br />
<br />
[[Image:basm-sessid.jpg]]<br />
<br />
In the following figure values inside cookies change only partially, so it's possible to restrict a bruteforce attack to the defined fields shown below.<br />
<br />
[[Image:basm-sessid2.jpg]]<br />
<br />
<br />
'''Sql Injection (HTML Form Authentication)'''<br />
SQL Injection is a widely known range of techniques. We are not going to describe this technique into detail, because it's possible to find many dedicated paragraphs in Owasp Testing Guide for either common and advanced readers.<br />
<br />
[[Image:basm-sqlinj.jpg]]<br />
<br />
The following figure shows that with simple sql injection it's possible to bypass the authentication form.<br />
The Example is obfuscated because it's part of OWASP WebGoat suite, and to let the reader experiment by himself without knowing the solution.<br />
<br />
[[Image:basm-sqlinj2.gif]]<br />
<br />
<br><br />
<br />
== Gray Box testing and example == <br />
In the case an attacker has been able to retrieve the application source code by exploiting a previosly discovered vulnerability (e.g. directory traversal), or from a web repository (Open Source Applications), could be possible to perform refined attacks against the implementation of the authentication process.<br />
<br />
In the following example (PHPBB 2.0.13 - Authentication Bypass Vulnerability), at line 5 unserialize() function parse user supplied cookie and set values inside $row array. At line 10 user md5 password hash stored inside the backend database is compared to the one supplied.<br />
<br />
<pre>1. if ( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) ||<br />
2. {<br />
3. $sessiondata = isset( $HTTP_COOKIE_VARS[$cookiename . '_data'] ) ?<br />
4. <br />
5. unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();<br />
6. <br />
7. $sessionmethod = SESSION_METHOD_COOKIE;<br />
8. }<br />
9. <br />
10. if( md5($password) == $row['user_password'] && $row['user_active'] )<br />
11. <br />
12. {<br />
13. $autologin = ( isset($HTTP_POST_VARS['autologin']) ) ? TRUE : 0;<br />
14. }</pre><br />
<br />
In PHP a comparison between a string value and a boolean value (1 - "TRUE") is always "TRUE", so supplying the following string (important part is "b:1") to the userialize() function is possible to bypass the authentication control:<br />
<br />
<pre>a:2:{s:11:"autologinid";b:1;s:6:"userid";s:1:"2";}</pre><br />
<br><br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
* WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br />
* WebGoat: http://www.owasp.org/index.php/OWASP_WebGoat_Project<br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)&diff=12329Testing for Bypassing Authentication Schema (OTG-AUTHN-004)2006-11-11T15:24:40Z<p>Alombardini: /* Black Box testing and example */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
While most most application require authentication for gaining access to private information or tasks, not every authentication method is able to provide adequate security level.<br><br><br />
Negligence, ignorance or simple understatement of the security threats often result in authentication schemes that can be easily bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.<br><br><br />
In addition to this it is often possible to bypass compulsory authentication tampering with requests and tricking the application into thinking that we're already authenticated either by modifying the given URL parameter or by manipulating form or by counterfeiting sessions.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
Problems related to Authentication Schema could be found at different stages of software development life cycle (SDLC), like design, development and deployment phase.<br><br><br />
Examples of '''design errors''' include a wrong definition of application parts to be protected, the choice of not applying strong encryption protocols for securing authentication data exchange, and many more.<br><br><br />
'''Problems in development''' phase are for example the incorrect implementation of input validation functionalities, or not following the security best practices for the specific language.<br><br><br />
In addition there are '''issues during application setup''' (Installation and configuration activities) due to a lack in required technical skills, or due to poor documentation available.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
There are several methods to bypass the authentication schema in use by a web application:<br />
* Direct page request<br />
* Parameter Modification<br />
* Session ID Prediction<br />
* Session Fixation<br />
* Sql Injection<br />
<br />
<br><br />
'''Direct page request'''<br />
<br />
Several web applications implement access control only inside the login page, otherwise if a user requests directly a different page in the designed protected area, the authentication schema could be bypassed.<br />
<br />
[[Image:basm-directreq.jpg]]<br />
<br />
<br />
'''Parameter Modification'''<br />
<br />
<br />
Another problem related to authentication design is to let the application verify a succesful login upon fixed value parameters.<br />
Therefore a user could modify these parameters to gain access to the protected areas without providing valid credentials.<br />
<br />
<pre>http://www.site.com/page.asp?authenticated=no </pre><br />
<br />
<pre>raven@blackbox /home $nc www.site.com 80 <br />
GET /page.asp?authenticated=yes HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Date: Sat, 11 Nov 2006 10:22:44 GMT <br />
Server: Apache <br />
Connection: close <br />
Content-Type: text/html; charset=iso-8859-1 <br />
<br />
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <br />
<HTML><HEAD> <br />
</HEAD><BODY> <br />
<H1>You Are Auhtenticated</H1> <br />
</BODY></HTML></pre><br />
<br />
[[Image:basm-parammod.jpg]]<br />
<br />
<br />
'''Session Issues'''<br />
* Session ID Prediction<br />
Many web applications manage authentication using session identification values(SESSION ID). Therefore if Session ID generation is predictable a malicious user could be able to find a valid session ID and gain unauthorized access to the application, impersonating a previously authenticated user.<br />
<br />
In the following figure values inside cookies increase linearly, so could be easy for an attacker to guess a valid session ID.<br />
<br />
[[Image:basm-sessid.jpg]]<br />
<br />
In the following figure values inside cookies change only partially, so it's possible to restrict a bruteforce attack to the defined fields shown below.<br />
<br />
[[Image:basm-sessid2.jpg]]<br />
<br />
<br />
'''Sql Injection (HTML Form Authentication)'''<br />
SQL Injection is a widely known range of techniques. We are not going to describe this technique into detail, because it's possible to find many dedicated paragraphs in Owasp Testing Guide for either common and advanced readers.<br />
<br />
[[Image:basm-sqlinj.jpg]]<br />
<br />
The following figure shows that with simple sql injection it's possible to bypass the authentication form.<br />
The Example is obfuscated because it's part of OWASP WebGoat suite, and to let the reader experiment by himself without knowing the solution.<br />
<br />
[[Image:basm-sqlinj2.gif]]<br />
<br />
<br><br />
<br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
* WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br />
* WebGoat: http://www.owasp.org/index.php/OWASP_WebGoat_Project<br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)&diff=12328Testing for Bypassing Authentication Schema (OTG-AUTHN-004)2006-11-11T15:24:24Z<p>Alombardini: /* Black Box testing and example */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
While most most application require authentication for gaining access to private information or tasks, not every authentication method is able to provide adequate security level.<br><br><br />
Negligence, ignorance or simple understatement of the security threats often result in authentication schemes that can be easily bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.<br><br><br />
In addition to this it is often possible to bypass compulsory authentication tampering with requests and tricking the application into thinking that we're already authenticated either by modifying the given URL parameter or by manipulating form or by counterfeiting sessions.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
Problems related to Authentication Schema could be found at different stages of software development life cycle (SDLC), like design, development and deployment phase.<br><br><br />
Examples of '''design errors''' include a wrong definition of application parts to be protected, the choice of not applying strong encryption protocols for securing authentication data exchange, and many more.<br><br><br />
'''Problems in development''' phase are for example the incorrect implementation of input validation functionalities, or not following the security best practices for the specific language.<br><br><br />
In addition there are '''issues during application setup''' (Installation and configuration activities) due to a lack in required technical skills, or due to poor documentation available.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
There are several methods to bypass the authentication schema in use by a web application:<br />
* Direct page request<br />
* Parameter Modification<br />
* Session ID Prediction<br />
* Session Fixation<br />
* Sql Injection<br />
<br />
<br><br />
== Black Box testing and example ==<br />
<br />
<br />
'''Direct page request'''<br />
<br />
Several web applications implement access control only inside the login page, otherwise if a user requests directly a different page in the designed protected area, the authentication schema could be bypassed.<br />
<br />
[[Image:basm-directreq.jpg]]<br />
<br />
<br />
'''Parameter Modification'''<br />
<br />
<br />
Another problem related to authentication design is to let the application verify a succesful login upon fixed value parameters.<br />
Therefore a user could modify these parameters to gain access to the protected areas without providing valid credentials.<br />
<br />
<pre>http://www.site.com/page.asp?authenticated=no </pre><br />
<br />
<pre>raven@blackbox /home $nc www.site.com 80 <br />
GET /page.asp?authenticated=yes HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Date: Sat, 11 Nov 2006 10:22:44 GMT <br />
Server: Apache <br />
Connection: close <br />
Content-Type: text/html; charset=iso-8859-1 <br />
<br />
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <br />
<HTML><HEAD> <br />
</HEAD><BODY> <br />
<H1>You Are Auhtenticated</H1> <br />
</BODY></HTML></pre><br />
<br />
[[Image:basm-parammod.jpg]]<br />
<br />
<br />
'''Session Issues'''<br />
* Session ID Prediction<br />
Many web applications manage authentication using session identification values(SESSION ID). Therefore if Session ID generation is predictable a malicious user could be able to find a valid session ID and gain unauthorized access to the application, impersonating a previously authenticated user.<br />
<br />
In the following figure values inside cookies increase linearly, so could be easy for an attacker to guess a valid session ID.<br />
<br />
[[Image:basm-sessid.jpg]]<br />
<br />
In the following figure values inside cookies change only partially, so it's possible to restrict a bruteforce attack to the defined fields shown below.<br />
<br />
[[Image:basm-sessid2.jpg]]<br />
<br />
<br />
'''Sql Injection (HTML Form Authentication)'''<br />
SQL Injection is a widely known range of techniques. We are not going to describe this technique into detail, because it's possible to find many dedicated paragraphs in Owasp Testing Guide for either common and advanced readers.<br />
<br />
[[Image:basm-sqlinj.jpg]]<br />
<br />
The following figure shows that with simple sql injection it's possible to bypass the authentication form.<br />
The Example is obfuscated because it's part of OWASP WebGoat suite, and to let the reader experiment by himself without knowing the solution.<br />
<br />
[[Image:basm-sqlinj2.gif]]<br />
<br />
<br><br />
<br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
* WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br />
* WebGoat: http://www.owasp.org/index.php/OWASP_WebGoat_Project<br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)&diff=12327Testing for Bypassing Authentication Schema (OTG-AUTHN-004)2006-11-11T15:22:06Z<p>Alombardini: /* Bypassing authentication schema methods */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
While most most application require authentication for gaining access to private information or tasks, not every authentication method is able to provide adequate security level.<br><br><br />
Negligence, ignorance or simple understatement of the security threats often result in authentication schemes that can be easily bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.<br><br><br />
In addition to this it is often possible to bypass compulsory authentication tampering with requests and tricking the application into thinking that we're already authenticated either by modifying the given URL parameter or by manipulating form or by counterfeiting sessions.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
Problems related to Authentication Schema could be found at different stages of software development life cycle (SDLC), like design, development and deployment phase.<br><br><br />
Examples of '''design errors''' include a wrong definition of application parts to be protected, the choice of not applying strong encryption protocols for securing authentication data exchange, and many more.<br><br><br />
'''Problems in development''' phase are for example the incorrect implementation of input validation functionalities, or not following the security best practices for the specific language.<br><br><br />
In addition there are '''issues during application setup''' (Installation and configuration activities) due to a lack in required technical skills, or due to poor documentation available.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
There are several methods to bypass the authentication schema in use by a web application:<br />
* Direct page request<br />
* Parameter Modification<br />
* Session ID Prediction<br />
* Session Fixation<br />
* Sql Injection<br />
<br />
<br><br />
== Black Box testing and example ==<br />
There are several methods to bypass the authentication schema in use by a web <br />
<br />
application:<br />
* Direct page request<br />
* Parameter Modification<br />
* Session ID Prediction<br />
* Sql Injection<br />
<br />
<br><br />
=== Bypassing authentication schema methods ===<br />
<br />
'''Direct page request'''<br />
<br />
Several web applications implement access control only inside the login page, otherwise if a user requests directly a different page in the designed protected area, the authentication schema could be bypassed.<br />
<br />
[[Image:basm-directreq.jpg]]<br />
<br />
<br />
'''Parameter Modification'''<br />
<br />
<br />
Another problem related to authentication design is to let the application verify a succesful login upon fixed value parameters.<br />
Therefore a user could modify these parameters to gain access to the protected areas without providing valid credentials.<br />
<br />
<pre>http://www.site.com/page.asp?authenticated=no </pre><br />
<br />
<pre>raven@blackbox /home $nc www.site.com 80 <br />
GET /page.asp?authenticated=yes HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Date: Sat, 11 Nov 2006 10:22:44 GMT <br />
Server: Apache <br />
Connection: close <br />
Content-Type: text/html; charset=iso-8859-1 <br />
<br />
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <br />
<HTML><HEAD> <br />
</HEAD><BODY> <br />
<H1>You Are Auhtenticated</H1> <br />
</BODY></HTML></pre><br />
<br />
[[Image:basm-parammod.jpg]]<br />
<br />
<br />
'''Session Issues'''<br />
* Session ID Prediction<br />
Many web applications manage authentication using session identification values(SESSION ID). Therefore if Session ID generation is predictable a malicious user could be able to find a valid session ID and gain unauthorized access to the application, impersonating a previously authenticated user.<br />
<br />
In the following figure values inside cookies increase linearly, so could be easy for an attacker to guess a valid session ID.<br />
<br />
[[Image:basm-sessid.jpg]]<br />
<br />
In the following figure values inside cookies change only partially, so it's possible to restrict a bruteforce attack to the defined fields shown below.<br />
<br />
[[Image:basm-sessid2.jpg]]<br />
<br />
<br />
'''Sql Injection (HTML Form Authentication)'''<br />
SQL Injection is a widely known range of techniques. We are not going to describe this technique into detail, because it's possible to find many dedicated paragraphs in Owasp Testing Guide for either common and advanced readers.<br />
<br />
[[Image:basm-sqlinj.jpg]]<br />
<br />
The following figure shows that with simple sql injection it's possible to bypass the authentication form.<br />
The Example is obfuscated because it's part of OWASP WebGoat suite, and to let the reader experiment by himself without knowing the solution.<br />
<br />
[[Image:basm-sqlinj2.gif]]<br />
<br />
<br><br />
<br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
* WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br />
* WebGoat: http://www.owasp.org/index.php/OWASP_WebGoat_Project<br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)&diff=12326Testing for Bypassing Authentication Schema (OTG-AUTHN-004)2006-11-11T15:20:55Z<p>Alombardini: /* Black Box testing and example */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
While most most application require authentication for gaining access to private information or tasks, not every authentication method is able to provide adequate security level.<br><br><br />
Negligence, ignorance or simple understatement of the security threats often result in authentication schemes that can be easily bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.<br><br><br />
In addition to this it is often possible to bypass compulsory authentication tampering with requests and tricking the application into thinking that we're already authenticated either by modifying the given URL parameter or by manipulating form or by counterfeiting sessions.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
Problems related to Authentication Schema could be found at different stages of software development life cycle (SDLC), like design, development and deployment phase.<br><br><br />
Examples of '''design errors''' include a wrong definition of application parts to be protected, the choice of not applying strong encryption protocols for securing authentication data exchange, and many more.<br><br><br />
'''Problems in development''' phase are for example the incorrect implementation of input validation functionalities, or not following the security best practices for the specific language.<br><br><br />
In addition there are '''issues during application setup''' (Installation and configuration activities) due to a lack in required technical skills, or due to poor documentation available.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
There are several methods to bypass the authentication schema in use by a web application:<br />
* Direct page request<br />
* Parameter Modification<br />
* Session ID Prediction<br />
* Session Fixation<br />
* Sql Injection<br />
<br />
<br><br />
== Black Box testing and example ==<br />
There are several methods to bypass the authentication schema in use by a web <br />
<br />
application:<br />
* Direct page request<br />
* Parameter Modification<br />
* Session ID Prediction<br />
* Sql Injection<br />
<br />
<br><br />
=== Bypassing authentication schema methods ===<br />
<br />
'''Direct page request'''<br />
<br />
Several web applications implement access control only inside the login page, <br />
<br />
otherwise if a user requests directly a different page in the designed protected <br />
<br />
area, the authentication schema could be bypassed.<br />
<br />
[[Image:basm-directreq.jpg]]<br />
<br />
<br />
'''Parameter Modification'''<br />
<br />
<br />
Another problem related to authentication design is to let the application verify a <br />
<br />
succesful login upon fixed value parameters.<br />
<br />
Therefore a user could modify these parameters to gain access to the protected areas <br />
<br />
without providing valid credentials.<br />
<pre>http://www.site.com/page.asp?authenticated=no </pre><br />
<br />
<pre>raven@blackbox /home $nc www.site.com 80 <br />
GET /page.asp?authenticated=yes HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Date: Sat, 11 Nov 2006 10:22:44 GMT <br />
Server: Apache <br />
Connection: close <br />
Content-Type: text/html; charset=iso-8859-1 <br />
<br />
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <br />
<HTML><HEAD> <br />
</HEAD><BODY> <br />
<H1>You Are Auhtenticated</H1> <br />
</BODY></HTML></pre><br />
<br />
[[Image:basm-parammod.jpg]]<br />
<br />
<br />
'''Session Issues'''<br />
* Session ID Prediction<br />
Many web applications manage authentication using session identification <br />
<br />
values(SESSION ID). Therefore if Session ID generation is predictable a malicious <br />
<br />
user could be able to find a valid session ID and gain unauthorized access to the <br />
<br />
application, impersonating a previously authenticated user.<br />
<br />
In the following figure values inside cookies increase linearly, so could be easy <br />
<br />
for an attacker to guess a valid session ID.<br />
<br />
[[Image:basm-sessid.jpg]]<br />
<br />
In the following figure values inside cookies change only partially, so it's <br />
<br />
possible to restrict a bruteforce attack to the defined fields shown below.<br />
<br />
[[Image:basm-sessid2.jpg]]<br />
<br />
<br />
'''Sql Injection (HTML Form Authentication)'''<br />
SQL Injection is a widely known range of techniques. We are not going to describe <br />
<br />
this technique into detail, because it's possible to find many dedicated paragraphs <br />
<br />
in Owasp Testing Guide for either common and advanced readers.<br />
<br />
[[Image:basm-sqlinj.jpg]]<br />
<br />
The following figure shows that with simple sql injection it's possible to bypass <br />
<br />
the authentication form.<br />
The Example is obfuscated because it's part of OWASP WebGoat suite, and to let the <br />
<br />
reader experiment by himself without knowing the solution.<br />
<br />
[[Image:basm-sqlinj2.gif]]<br />
<br />
<br><br />
<br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
* WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br />
* WebGoat: http://www.owasp.org/index.php/OWASP_WebGoat_Project<br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)&diff=12324Testing for Bypassing Authentication Schema (OTG-AUTHN-004)2006-11-11T15:17:15Z<p>Alombardini: /* References */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
While most most application require authentication for gaining access to private information or tasks, not every authentication method is able to provide adequate security level.<br><br><br />
Negligence, ignorance or simple understatement of the security threats often result in authentication schemes that can be easily bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.<br><br><br />
In addition to this it is often possible to bypass compulsory authentication tampering with requests and tricking the application into thinking that we're already authenticated either by modifying the given URL parameter or by manipulating form or by counterfeiting sessions.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
Problems related to Authentication Schema could be found at different stages of software development life cycle (SDLC), like design, development and deployment phase.<br><br><br />
Examples of '''design errors''' include a wrong definition of application parts to be protected, the choice of not applying strong encryption protocols for securing authentication data exchange, and many more.<br><br><br />
'''Problems in development''' phase are for example the incorrect implementation of input validation functionalities, or not following the security best practices for the specific language.<br><br><br />
In addition there are '''issues during application setup''' (Installation and configuration activities) due to a lack in required technical skills, or due to poor documentation available.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
There are several methods to bypass the authentication schema in use by a web application:<br />
* Direct page request<br />
* Parameter Modification<br />
* Session ID Prediction<br />
* Session Fixation<br />
* Sql Injection<br />
<br />
<br><br />
=== Bypassing authentication schema methods ===<br />
<br />
'''Direct page request'''<br />
<br />
Several web applications implement access control only inside the login page, otherwise if a user requests directly a different page in the designed protected area, the authentication schema could be bypassed.<br />
<br />
[[Image:basm-directreq.jpg]]<br />
<br />
<br />
'''Parameter Modification'''<br />
<br />
<br />
Another problem related to authentication design is to let the application verify a succesful login upon fixed value parameters.<br />
<br />
Therefore a user could modify these parameters to gain access to the protected areas without providing valid credentials.<br />
<pre>http://www.site.com/page.asp?authenticated=no </pre><br />
<br />
<pre>raven@blackbox /home $nc www.site.com 80 <br />
GET /page.asp?authenticated=yes HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Date: Sat, 11 Nov 2006 10:22:44 GMT <br />
Server: Apache <br />
Connection: close <br />
Content-Type: text/html; charset=iso-8859-1 <br />
<br />
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <br />
<HTML><HEAD> <br />
</HEAD><BODY> <br />
<H1>You Are Auhtenticated</H1> <br />
</BODY></HTML></pre><br />
<br />
[[Image:basm-parammod.jpg]]<br />
<br />
<br />
'''Session Issues'''<br />
* Session ID Prediction<br />
Many web applications manage authentication using session identification values(SESSION ID). Therefore if Session ID generation is predictable a malicious user could be able to find a valid session ID and gain unauthorized access to the application, impersonating a previously authenticated user.<br />
<br />
[[Image:basm-sessid.jpg]]<br />
<br />
[[Image:basm-sessid2.jpg]]<br />
<br />
<br />
'''Sql Injection (HTML Form Authentication)'''<br />
<br />
<br />
[[Image:basm-sqlinj.jpg]]<br />
<br />
[[Image:basm-sqlinj2.gif]]<br />
<br />
<br><br />
<br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
* WebScarab: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br />
* WebGoat: http://www.owasp.org/index.php/OWASP_WebGoat_Project<br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)&diff=12323Testing for Bypassing Authentication Schema (OTG-AUTHN-004)2006-11-11T15:16:23Z<p>Alombardini: /* References */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
While most most application require authentication for gaining access to private information or tasks, not every authentication method is able to provide adequate security level.<br><br><br />
Negligence, ignorance or simple understatement of the security threats often result in authentication schemes that can be easily bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.<br><br><br />
In addition to this it is often possible to bypass compulsory authentication tampering with requests and tricking the application into thinking that we're already authenticated either by modifying the given URL parameter or by manipulating form or by counterfeiting sessions.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
Problems related to Authentication Schema could be found at different stages of software development life cycle (SDLC), like design, development and deployment phase.<br><br><br />
Examples of '''design errors''' include a wrong definition of application parts to be protected, the choice of not applying strong encryption protocols for securing authentication data exchange, and many more.<br><br><br />
'''Problems in development''' phase are for example the incorrect implementation of input validation functionalities, or not following the security best practices for the specific language.<br><br><br />
In addition there are '''issues during application setup''' (Installation and configuration activities) due to a lack in required technical skills, or due to poor documentation available.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
There are several methods to bypass the authentication schema in use by a web application:<br />
* Direct page request<br />
* Parameter Modification<br />
* Session ID Prediction<br />
* Session Fixation<br />
* Sql Injection<br />
<br />
<br><br />
=== Bypassing authentication schema methods ===<br />
<br />
'''Direct page request'''<br />
<br />
Several web applications implement access control only inside the login page, otherwise if a user requests directly a different page in the designed protected area, the authentication schema could be bypassed.<br />
<br />
[[Image:basm-directreq.jpg]]<br />
<br />
<br />
'''Parameter Modification'''<br />
<br />
<br />
Another problem related to authentication design is to let the application verify a succesful login upon fixed value parameters.<br />
<br />
Therefore a user could modify these parameters to gain access to the protected areas without providing valid credentials.<br />
<pre>http://www.site.com/page.asp?authenticated=no </pre><br />
<br />
<pre>raven@blackbox /home $nc www.site.com 80 <br />
GET /page.asp?authenticated=yes HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Date: Sat, 11 Nov 2006 10:22:44 GMT <br />
Server: Apache <br />
Connection: close <br />
Content-Type: text/html; charset=iso-8859-1 <br />
<br />
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <br />
<HTML><HEAD> <br />
</HEAD><BODY> <br />
<H1>You Are Auhtenticated</H1> <br />
</BODY></HTML></pre><br />
<br />
[[Image:basm-parammod.jpg]]<br />
<br />
<br />
'''Session Issues'''<br />
* Session ID Prediction<br />
Many web applications manage authentication using session identification values(SESSION ID). Therefore if Session ID generation is predictable a malicious user could be able to find a valid session ID and gain unauthorized access to the application, impersonating a previously authenticated user.<br />
<br />
[[Image:basm-sessid.jpg]]<br />
<br />
[[Image:basm-sessid2.jpg]]<br />
<br />
<br />
'''Sql Injection (HTML Form Authentication)'''<br />
<br />
<br />
[[Image:basm-sqlinj.jpg]]<br />
<br />
[[Image:basm-sqlinj2.gif]]<br />
<br />
<br><br />
<br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
* WebGoat: http://www.owasp.org/index.php/OWASP_WebGoat_Project<br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Brute_Force_(OWASP-AT-004)&diff=12309Testing for Brute Force (OWASP-AT-004)2006-11-11T14:14:16Z<p>Alombardini: /* References */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
Brute-forcing consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem's statement. In web application testing, the problem we are going to face with the most is very often connected with the need of having a valid user account to access the inner part of the application.<br />
Therefore we are going to check different types of authentication schema and the effectiveness of different brute-force attacks.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
A great majority of web applications provide a way for users to authenticate themselves. By having knowledge of user's identity it's possible to create protected areas or more generally, to have the application behave differently upon the logon of different users.<br />
Actually there are several methods for a user to authenticate to a system like certificates, biometric devices, OTP (One Time Password) tokens, but in web application we usually find a combination of user ID and password. Therefore it's possible to carry out an attack to retrieve a valid user account and password, by trying to enumerate many (ex. dictionary attack) or the whole space of possible candidates.<br />
<br />
After a successful bruteforce attack, a malicious user could have access to:<br />
<br />
* Confidential information / data;<br />
** Private sections of a web application, could disclose confidential documents, user's profile data, financial status, bank details, user's relationships, etc..<br />
<br />
* Administration panels;<br />
** These sections are used by webmasters to manage (modify, delete, add) web application content, manage user provisioning, assign different privileges to the users, etc..<br />
<br />
* Availability of further attack vectors;<br />
** Private sections of a web application could hide dangerous vulnerabilities and contain advanced functionalities not available to public users.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
To leverage different bruteforcing attacks it's important to discover the type of authentication method used by the application, because the techniques and the tools to be used may change.<br />
<br />
=== Discovery Authentication Methods ===<br />
<br />
Unless an entity decides to apply a sophisticated web authentication, the two most commonly see methods are as follows:<br />
<br />
* HTTP Authentication;<br />
** Basic Access Authentication<br />
** Digest Access Authentication<br />
* HTML Form-based Authentication;<br />
<br />
The following sections provide some good information on identifying the authentication mechanism employed during a blackbox test.<br />
<br />
<br />
'''HTTP authentication'''<br />
<br />
There are two native HTTP access authentication schemes available to an organisation – Basic and Digest. <br />
<br />
* Basic Access Authentication<br />
<br />
Basic Access Authentication assumes the client will identify themselves with a login name ("owasp") and password ("password"). When the client browser initially accesses a site using this scheme, the web server will reply with a 401 response containing a “WWW-Authenticate” tag containing a value of “Basic” and the name of the protected realm (e.g. WWW-Authenticate: Basic realm="wwwProtectedSite”). The client browser will then prompt the user for their login name and password for that realm. The client browser then responds to the web server with an “Authorization” tag, containing the value “Basic” and the base64-encoded concatenation of the login name, a colon, and the password (e.g. Authorization: Basic b3dhc3A6cGFzc3dvcmQ=). Unfortunately, the authentication reply can be easily decrypted should an attacker sniff the transmission.<br />
<br />
Request and Response Test:<br />
<br />
1. Client sends standard HTTP request for resource:<br />
<pre><br />
GET /members/docs/file.pdf HTTP/1.1<br />
Host: target<br />
</pre><br />
<br />
2. The web server states that the requested resource is located in a protected directory.<br />
<br />
3. Server Sends Response with HTTP 401 Authorization Required:<br />
<br />
<pre><br />
HTTP/1.1 401 Authorization Required<br />
Date: Sat, 04 Nov 2006 12:52:40 GMT<br />
WWW-Authenticate: Basic realm="User Realm"<br />
Content-Length: 401<br />
Keep-Alive: timeout=15, max=100<br />
Connection: Keep-Alive<br />
Content-Type: text/html; charset=iso-8859-1<br />
</pre><br />
<br />
4. Browser displays challenge pop-up for username and password data entry.<br />
<br />
5. Client Resubmits HTTP Request with credentials included:<br />
<br />
<pre><br />
GET /members/docs/file.pdf HTTP/1.1<br />
Host: target<br />
Authorization: Basic b3dhc3A6cGFzc3dvcmQ=<br />
</pre><br />
<br />
6. Server compares client information to its credentials list.<br />
<br />
7. If the credentials are valid the server sends the requested content. If authorization fails the server resends HTTP status code 401 in the response header. If the user clicks Cancel the browser will likely display an error message.<br />
<br />
<pre><br />
The string QWRtaW46Zm9vYmFy== symply base64 decodes as follows:<br />
Base64 Decoded : owasp:password<br />
</pre><br />
<br />
* Digest Access Authentication<br />
<br />
Digest Access Authentication expands upon the security of Basic Access Authentication by using a one-way cryptographic hashing algorithm (MD5) to encrypt authentication data and, secondly, adding a single use (connection unique) “nonce” value set by the web server. This value is used by the client browser in the calculation of a hashed password response. While the password is obscured by the use of the cryptographic hashing and the use of the nonce value precludes the threat of a replay attack, the login name is submitted in clear text.<br />
<br />
Request and Response Test:<br />
<br />
1. Here is an example of the initial Response header when handling an HTTP Digest target:<br />
<br />
<pre><br />
HTTP/1.1 401 Unauthorized<br />
WWW-Authenticate: Digest realm="OwaspSample", <br />
nonce="Ny8yLzIwMDIgMzoyNjoyNCBQTQ", <br />
opaque="0000000000000000", \<br />
stale=false, <br />
algorithm=MD5, <br />
qop="auth"<br />
</pre><br />
<br />
2. The Subsequent response headers with valid credentials would look like this:<br />
<br />
<pre><br />
GET /example/owasp/test.asmx HTTP/1.1<br />
Accept: */*<br />
Authorization: Digest username="owasp", <br />
realm="OwaspSample", <br />
qop="auth", <br />
algorithm="MD5", <br />
uri="/example/owasp/test.asmx", <br />
nonce="Ny8yLzIwMDIgMzoyNjoyNCBQTQ", <br />
nc=00000001, <br />
cnonce="c51b5139556f939768f770dab8e5277a", <br />
opaque="0000000000000000", <br />
response="2275a9ca7b2dadf252afc79923cd3823" <br />
</pre><br />
<br />
<br />
'''HTML Form-based Authentication'''<br />
<br />
However, while both HTTP access authentication schemes may appear suitable for commercial use over the Internet, particularly when used over an SSL encrypted session, many organisations have chosen to utilise custom HTML and application level authentication procedures in order to provide a more sophisticated authentication procedure.<br />
<br />
Source code taken from a HTML form:<br />
<br />
<pre><br />
<form method="POST" action="login"><br />
<input type="text" name"username"><br />
<input type="password" name="password"><br />
</form><br />
</pre><br />
<br />
=== Bruteforce Attacks ===<br />
<br />
After having listed the different types of authentication methods in web application, we will explain several bruteforce attacks which can be carried out.<br />
<br />
* Dictionary Attack<br />
Dictionary-based attacks consist of automated scripts and tools that will try to guess username and passwords from a dictionary file. Dictionary file can be tuned and compiled to cover words probably used by the owner of the account a malicious user is going to attack. <br />
The attacker can previously perform some investigations to understand user's interests, or build a list of all unique words available on the website.<br />
<br />
* Search Attacks<br />
Search attacks will try to cover all possible combination of a given character set and a given password lenght range. This kind of attack is very slow because the space of possible candidates is quite big. For example given a known user id, the total number of passwords to try up to 8 characters in lenght is equal to 26^(8!) in a lower alpha charset (more than 200 billions of different passwords!). <br />
<br />
* Rule-based search attacks<br />
To increase combination space coverage without slowing too much the process it's suggested to create good rules to generate candidates. <br />
For example "John the Ripper" can generate password variations from part of the username or modify through a preconfigured mask words in input (e.g. 1st round "pen" --> 2nd round "p3n" --> 3rd round "p3np3n").<br />
<br />
'''Bruteforcing HTTP Basic Authentication'''<br />
<br />
<pre><br />
raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt www.site.com http-head /private/<br />
Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.<br />
Hydra (http://www.thc.org) starting at 2009-07-04 18:15:17<br />
[DATA] 16 tasks, 1 servers, 1638 login tries (l:2/p:819), ~102 tries per task<br />
[DATA] attacking service http-head on port 80<br />
[STATUS] 792.00 tries/min, 792 tries in 00:01h, 846 todo in 00:02h<br />
[80][www] host: 10.0.0.1 login: owasp password: password<br />
[STATUS] attack finished for www.site.com (waiting for childs to finish)<br />
Hydra (http://www.thc.org) finished at 2009-07-04 18:16:34<br />
<br />
raven@blackbox /hydra $ <br />
</pre><br />
<br />
'''Bruteforcing HTML Form Based Authentication'''<br />
<br />
<pre><br />
raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt www.site.com https-post-form<br />
"/index.cgi:login&name=^USER^&password=^PASS^&login=Login:Not allowed" &<br />
<br />
Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.<br />
Hydra (http://www.thc.org)starting at 2009-07-04 19:16:17<br />
[DATA] 16 tasks, 1 servers, 1638 login tries (l:2/p:819), ~102 tries per task<br />
[DATA] attacking service http-post-form on port 443<br />
[STATUS] attack finished for wiki.intranet (waiting for childs to finish)<br />
[443] host: 10.0.0.1 login: owasp password: password<br />
[STATUS] attack finished for www.site.com (waiting for childs to finish)<br />
Hydra (http://www.thc.org) finished at 2009-07-04 19:18:34<br />
<br />
raven@blackbox /hydra $<br />
</pre><br />
<br />
== Gray Box testing and example == <br />
TD - Having Partial knowledge of password and account details (e.g. lenght or charset)<br />
<br />
TD - Memory Trade Off Attacks<br />
<br />
<br><br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
<br />
'''Tools'''<br><br />
* THC Hydra: http://www.thc.org/thc-hydra/<br />
* John the Ripper: http://www.openwall.com/john/<br />
<br />
<br><br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Brute_Force_(OWASP-AT-004)&diff=11644Testing for Brute Force (OWASP-AT-004)2006-11-04T14:45:53Z<p>Alombardini: /* Discovery Authentication Methods */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
Brute-forcing consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem's statement. In web application testing, the problem we are going to face with the most is very often connected with the need of having a valid user account to access the inner part of the application.<br />
Therefore we are going to check different types of authentication schema and the effectiveness of different brute-force attacks.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
A great majority of web applications provide a way for users to authenticate themselves. By having knowledge of user's identity it's possible to create protected areas or more generally, to have the application behave differently upon the logon of different users.<br />
Actually there are several methods for a user to authenticate to a system like certificates, biometric devices, OTP (One Time Password) tokens, but in web application we usually find a combination of user ID and password. Therefore it's possible to carry out an attack to retrieve a valid user account and password, by trying to enumerate many (ex. dictionary attack) or the whole space of possible candidates.<br />
<br />
After a successful bruteforce attack, a malicious user could have access to:<br />
<br />
* Confidential information / data;<br />
** Private sections of a web application, could disclose confidential documents, user's profile data, financial status, bank details, user's relationships, etc..<br />
<br />
* Administration panels;<br />
** These sections are used by webmasters to manage (modify, delete, add) web application content, manage user provisioning, assign different privileges to the users, etc..<br />
<br />
* Availability of further attack vectors;<br />
** Inner sections of a web application could hide dangerous vulnerabilities and contain advanced functionalities not available to public users.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
<br><br />
=== Discovery Authentication Methods ===<br />
<br />
Unless an entity decides to apply a sophisticated web authentication, the two most commonly see methods are as follows:<br />
<br />
* HTTP Authentication;<br />
** Basic Access Authentication<br />
** Digest Access Authentication<br />
* HTML Form-based Authentication;<br />
<br />
The following sections provide some good information on identifying the authentication mechanism employed during a blackbox test.<br />
<br />
'''HTTP authentication'''<br />
<br />
There are two native HTTP access authentication schemes available to an organisation – Basic and Digest. <br />
<br />
* Basic Access Authentication<br />
<br />
Basic Access Authentication assumes the client will identify themselves with a login name ("owasp") and password ("password"). When the client browser initially accesses a site using this scheme, the web server will reply with a 401 response containing a “WWW-Authenticate” tag containing a value of “Basic” and the name of the protected realm (e.g. WWW-Authenticate: Basic realm="wwwProtectedSite”). The client browser will then prompt the user for their login name and password for that realm. The client browser then responds to the web server with an “Authorization” tag, containing the value “Basic” and the base64-encoded concatenation of the login name, a colon, and the password (e.g. Authorization: Basic b3dhc3A6cGFzc3dvcmQ=). Unfortunately, the authentication reply can be easily decrypted should an attacker sniff the transmission.<br />
<br />
* Request and Response Test:<br />
<br />
1) Client sends standard HTTP request for resource:<br />
<pre><br />
GET /members/docs/file.pdf HTTP/1.1<br />
Host: target<br />
</pre><br />
<br />
2. The web server states that the requested resource is located in a protected directory.<br />
<br />
3. Server Sends Response with HTTP 401 Authorization Required:<br />
<br />
<pre><br />
HTTP/1.1 401 Authorization Required<br />
Date: Sat, 04 Nov 2006 12:52:40 GMT<br />
WWW-Authenticate: Basic realm="User Realm"<br />
Content-Length: 401<br />
Keep-Alive: timeout=15, max=100<br />
Connection: Keep-Alive<br />
Content-Type: text/html; charset=iso-8859-1<br />
</pre><br />
<br />
4. Browser displays challenge pop-up for username and password data entry.<br />
<br />
5. Client Resubmits HTTP Request with credentials included:<br />
<br />
<pre><br />
GET /members/docs/file.pdf HTTP/1.1<br />
Host: target<br />
Authorization: Basic b3dhc3A6cGFzc3dvcmQ=<br />
</pre><br />
<br />
6. Server compares client information to its credentials list.<br />
<br />
7. If the credentials are valid the server sends the requested content. If authorization fails the server resends HTTP status code 401 in the response header. If the user clicks Cancel the browser will likely display an error message.<br />
<br />
<br />
<pre><br />
The string QWRtaW46Zm9vYmFy== symply base64 decodes as follows:<br />
Base64 Decoded : owasp:password<br />
</pre><br />
<br />
'''Digest Access Authentication'''<br />
<br />
Digest Access Authentication expands upon the security of Basic Access Authentication by using a one-way cryptographic hashing algorithm (MD5) to encrypt authentication data and, secondly, adding a single use (connection unique) “nonce” value set by the web server. This value is used by the client browser in the calculation of a hashed password response. While the password is obscured by the use of the cryptographic hashing and the use of the nonce value precludes the threat of a replay attack, the login name is submitted in clear text.<br />
<br />
However, while both HTTP access authentication schemes may appear suitable for commercial use over the Internet, particularly when used over an SSL encrypted session, many organisations have chosen to utilise custom HTML and application level authentication procedures in order to provide a more sophisticated authentication procedure. Chiefly amongst these are: <br />
<br />
* Requirements for users to more fully identify themselves uniquely, beyond simple user name and password fields.<br />
* To provide a robust defence against brute force type attacks.<br />
* To better handle the client-server sessions, particularly their cancellation and expiry.<br />
* To overcome the nuances of a distributed, load-balanced site architecture, and client-side caching or proxy services.<br />
<br />
<pre><br />
GET /example/owasp/test.asmx HTTP/1.1<br />
Accept: */*<br />
Authorization: Digest username="owasp", <br />
realm="OwaspSample", <br />
qop="auth", <br />
algorithm="MD5", <br />
uri="/example/owasp/test.asmx", <br />
nonce="Ny8yLzIwMDIgMzoyNjoyNCBQTQ", <br />
nc=00000001, <br />
cnonce="c51b5139556f939768f770dab8e5277a", <br />
opaque="0000000000000000", <br />
response="2275a9ca7b2dadf252afc79923cd3823" <br />
</pre> <br />
<br />
<br><br />
<br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
...<br><br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardinihttps://wiki.owasp.org/index.php?title=Testing_for_Brute_Force_(OWASP-AT-004)&diff=11643Testing for Brute Force (OWASP-AT-004)2006-11-04T14:45:15Z<p>Alombardini: /* Discovery Authentication Methods */</p>
<hr />
<div>{{Template:OWASP Testing Guide v2}}<br />
<br />
== Brief Summary ==<br />
<br><br />
Brute-forcing consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem's statement. In web application testing, the problem we are going to face with the most is very often connected with the need of having a valid user account to access the inner part of the application.<br />
Therefore we are going to check different types of authentication schema and the effectiveness of different brute-force attacks.<br />
<br><br />
<br />
== Description of the Issue == <br />
<br><br />
A great majority of web applications provide a way for users to authenticate themselves. By having knowledge of user's identity it's possible to create protected areas or more generally, to have the application behave differently upon the logon of different users.<br />
Actually there are several methods for a user to authenticate to a system like certificates, biometric devices, OTP (One Time Password) tokens, but in web application we usually find a combination of user ID and password. Therefore it's possible to carry out an attack to retrieve a valid user account and password, by trying to enumerate many (ex. dictionary attack) or the whole space of possible candidates.<br />
<br />
After a successful bruteforce attack, a malicious user could have access to:<br />
<br />
* Confidential information / data;<br />
** Private sections of a web application, could disclose confidential documents, user's profile data, financial status, bank details, user's relationships, etc..<br />
<br />
* Administration panels;<br />
** These sections are used by webmasters to manage (modify, delete, add) web application content, manage user provisioning, assign different privileges to the users, etc..<br />
<br />
* Availability of further attack vectors;<br />
** Inner sections of a web application could hide dangerous vulnerabilities and contain advanced functionalities not available to public users.<br />
<br />
<br><br />
<br />
== Black Box testing and example ==<br />
<br><br />
=== Discovery Authentication Methods ===<br />
<br />
Unless an entity decides to apply a sophisticated web authentication, the two most commonly see methods are as follows:<br />
<br />
* HTTP Authentication;<br />
** Basic Access Authentication<br />
** Digest Access Authentication<br />
* HTML Form-based Authentication;<br />
<br />
The following sections provide some good information on identifying the authentication mechanism employed during a blackbox test.<br />
<br />
'''HTTP authentication'''<br />
<br />
There are two native HTTP access authentication schemes available to an organisation – Basic and Digest. <br />
<br />
* Basic Access Authentication<br />
<br />
Basic Access Authentication assumes the client will identify themselves with a login name ("owasp") and password ("password"). When the client browser initially accesses a site using this scheme, the web server will reply with a 401 response containing a “WWW-Authenticate” tag containing a value of “Basic” and the name of the protected realm (e.g. WWW-Authenticate: Basic realm="wwwProtectedSite”). The client browser will then prompt the user for their login name and password for that realm. The client browser then responds to the web server with an “Authorization” tag, containing the value “Basic” and the base64-encoded concatenation of the login name, a colon, and the password (e.g. Authorization: Basic b3dhc3A6cGFzc3dvcmQ=). Unfortunately, the authentication reply can be easily decrypted should an attacker sniff the transmission.<br />
<br />
* Request and Response Test:<br />
<br />
1) Client sends standard HTTP request for resource:<br />
<pre><br />
GET /members/docs/file.pdf HTTP/1.1<br />
Host: target<br />
</pre><br />
<br />
2. The web server states that the requested resource is located in a protected directory.<br />
<br />
3. Server Sends Response with HTTP 401 Authorization Required:<br />
<br />
<pre><br />
HTTP/1.1 401 Authorization Required<br />
Date: Sat, 04 Nov 2006 12:52:40 GMT<br />
WWW-Authenticate: Basic realm="User Realm"<br />
Content-Length: 401<br />
Keep-Alive: timeout=15, max=100<br />
Connection: Keep-Alive<br />
Content-Type: text/html; charset=iso-8859-1<br />
</pre><br />
<br />
4. Browser displays challenge pop-up for username and password data entry.<br />
<br />
5. Client Resubmits HTTP Request with credentials included:<br />
<br />
<pre><br />
GET /members/docs/file.pdf HTTP/1.1<br />
Host: target<br />
Authorization: Basic b3dhc3A6cGFzc3dvcmQ=<br />
</pre><br />
<br />
6. Server compares client information to its credentials list.<br />
<br />
7. If the credentials are valid the server sends the requested content. If authorization fails the server resends HTTP status code 401 in the response header. If the user clicks Cancel the browser will likely display an error message.<br />
<br />
<br />
<pre><br />
The string QWRtaW46Zm9vYmFy== symply base64 decodes as follows:<br />
Base64 Decoded : owasp:password<br />
</pre><br />
<br />
'''Digest Access Authentication'''<br />
<br />
Digest Access Authentication expands upon the security of Basic Access Authentication by using a one-way cryptographic hashing algorithm (MD5) to encrypt authentication data and, secondly, adding a single use (connection unique) “nonce” value set by the web server. This value is used by the client browser in the calculation of a hashed password response. While the password is obscured by the use of the cryptographic hashing and the use of the nonce value precludes the threat of a replay attack, the login name is submitted in clear text.<br />
<br />
However, while both HTTP access authentication schemes may appear suitable for commercial use over the Internet, particularly when used over an SSL encrypted session, many organisations have chosen to utilise custom HTML and application level authentication procedures in order to provide a more sophisticated authentication procedure. Chiefly amongst these are: <br />
<br />
* Requirements for users to more fully identify themselves uniquely, beyond simple user name and password fields.<br />
* To provide a robust defence against brute force type attacks.<br />
* To better handle the client-server sessions, particularly their cancellation and expiry.<br />
* To overcome the nuances of a distributed, load-balanced site architecture, and client-side caching or proxy services.<br />
<br />
<pre><br />
GET /example/owasp/test.asmx HTTP/1.1<br />
Accept: */*<br />
Authorization: Digest username="owasp", <br />
realm="OwaspSample", <br />
qop="auth", <br />
algorithm="MD5", <br />
uri="/example/owasp/test.asmx", <br />
nonce="Ny8yLzIwMDIgMzoyNjoyNCBQTQ", <br />
nc=00000001, <br />
cnonce="c51b5139556f939768f770dab8e5277a", <br />
opaque="0000000000000000", <br />
response="2275a9ca7b2dadf252afc79923cd3823" <br />
</pre> <br />
<br />
<br><br />
<br />
== Gray Box testing and example == <br />
'''Testing for Topic X vulnerabilities:'''<br><br />
...<br><br />
'''Result Expected:'''<br><br />
...<br><br><br />
== References ==<br />
'''Whitepapers'''<br><br />
...<br><br />
'''Tools'''<br><br />
...<br><br />
<br />
{{Category:OWASP Testing Project AoC}}<br />
[[OWASP Testing Guide v2 Table of Contents]]<br />
{{Template:Stub}}</div>Alombardini