- Authentication is the process of verifying the identity of a user or client. Websites are potentially exposed to anyone who is connected to the internet. This makes robust authentication mechanisms integral to effective web security.
There are three main types of authentication:
- Something you know, such as a password or the answer to a security question. These are sometimes called "knowledge factors".
- Something you have, This is a physical object such as a mobile phone or security token. These are sometimes called "possession factors".
- Something you are or do. For example, your biometrics or patterns of behavior. These are sometimes called "inherence factors".
-
Authentication is the process of verifying that a user is who they claim to be. Authorization involves verifying whether a user is allowed to do something.
-
For example, authentication determines whether someone attempting to access a website with the username Carlos123 really is the same person who created the account.
-
Once Carlos123 is authenticated, their permissions determine what they are authorized to do. For example, they may be authorized to access personal information about other users, or perform actions such as deleting another user's account.
Most vulnerabilities in authentication mechanisms occur in one of two ways:
- The authentication mechanisms are weak because they fail to adequately protect against brute-force attacks.
- Logic flaws or poor coding in the implementation allow the authentication mechanisms to be bypassed entirely by an attacker. This is sometimes called "broken authentication".
- Rate limiting is used to control the amount of incoming and outgoing traffic to or from a network. If the number of requests you make exceeds that limit, then an error will be triggered. The reasoning behind implementing rate limits is to allow for a better flow of data and to increase security by mitigating attacks such as DDoS.
- No rate limit means there is no mechanism to protect against requests you made in a short frame of time. So try to send lots of requests, if it is not blocking you then you can consider it as vulnerability.
- What is No Rate Limit Vulnerability - https://www.youtube.com/watch?v=iYgJI88ALew
- Most of the web application provides users “ password reset “ functionality via email. This functionality has given which allow users to recover their account, generate a new password, and repair their own problems. so let’s start and learn how to look for bugs in this function.
How To Hunt:
- Enter your details in signup form and submit the form
- Capture the signup request and send it to intruder
- add $$ to email parameter
- In the payload add different email address
- Fire up intruder and check whether it return 200 ok
- Refferance link - https://hackerone.com/reports/905692
How To Hunt:
- Create your account Edit your name to html tag and save it.
- Request for a signup and check your email.
- You will notice the tag getting executed
- HTML injection are usually considered as low to medium severity bugs but you can escalate the severity by serving a link tag by using for redirect user in malicious website.
- Refferance Link - https://hackerone.com/reports/502926
- Go to https://example.com/signup
- Just fill up the signup form and don't submit.
- Open burp suite and configure it to intercept the submit request.
- Submit the form.
- Change the value of email parameter from a valid email address to <img src=xonerror=alert(document.domain)>
- Forward the request and turn intercept off.
- Go to browser and Tadaa! XSS Triggers.
- Refferance Link - https://hackerone.com/reports/119090
Note - This form throws an error that "[EMAIL ADDRESS]: email doesn't appear to be a valid email address" where [EMAIL ADDRESS] is actually<img src=xonerror=alert(document.domain)>
- Go to the target website
- Just fill up the signup form and don't submit.
- Open burp suite and configure it to intercept the submit request.
- Submit the form.
- Change the value of email parameter from a valid email address to <img src=xonerror=alert(document.domain)>
- Forward the request and turn intercept off.
- Go to browser and Tadaa! XSS Triggers.
- Payload for Username field : <svg/onload=confirm(1)>
- Payload for Email field : “><svg/onload=confirm(1)>”@x.y
- Try registering any email address without verifying it.
- Try registering an account again, but this time with a different method, such as ‘sign up with Google’ from same email address.
- see it will be successfully bypasses the Email verification methods.
- What happens here is, now the attacker can easily log in using the victim's account which bypasses the verification methods.
- Refferance - https://hackerone.com/reports/1074047
Rate limiting is used to control the amount of incoming and outgoing traffic to or from a network. Basically, no rate limit means there is no mechanism to protect against requests you made in a short frame of time. So try to send lots of requests, if it is not blocking you then you can consider it as vulnerability.
How To Hunt:
- Go to https://example.com/resetPassword/
- Enter the email then click reset password
- Intercept this request in burp suite
- Send it to the intruder and repeat it by 50 times
- You will get 200 OK status
- Reference link - https://hackerone.com/reports/838572
- IF you try to change password and see email parameter in password change request, Try changing your email to victim email.
- Usually, If we reset our password on https://example.com/ that time we got a password reset link on the email. And through that password reset link, we can reset our password.
- But, I noticed that if we add another email in the request of forgot password through Burpsuite then both person will get the same password reset token in their email.
- So, an attacker can takeover any account without the user's interaction.
How To Hunt:
- First visit your website on sign up page.
- Enter your email and create a password.
- Enter name and mobile phone, then sign up.
- Then request for verification code on email.
- Enter wrong verification code and intercept request using Burp suite.
- After intercepting the request, I changed the status from "False" to "True". {"status":false to "status":true}
- Boom!! Verification code bypassed.
- Finally, the account was created with the wrong verification code.
- Refferance Link - https://hackerone.com/reports/1406471
- Refferance Link - https://hackerone.com/reports/1181253
How To Hunt:
- Attacker creates a account with victim's email ID Ex: [email protected]
- Now he doesn't know the verification code.
- Attacker will start brute force attack to get the correct verification code.
- Once Attacker gets the verification code.
- Finally, the account was created account using victim Email.
- Refferance Link - https://hackerone.com/reports/1394984
- Refferance Link - https://hackerone.com/reports/64666
How To Hunt:
- Sing up on the web application as [email protected]
- You will receive a confirmation email on [email protected], do not open that link now.
- The application may ask for confirming your email, check if it allows navigating to account settings page.
- On settings page check if you can change the email.
- If allowed, change the email to [email protected].
- Now you will be asked to confirm [email protected] by opening the confirmation link received on [email protected], insted of opening the new link go to [email protected] inbox and open the previous received link.
- If the application verifies [email protected] by using perivious verification link received on attacker mail, then this is a email verification bypass.
- Refferance Link - https://hackerone.com/reports/1040047
- when a user request changing password then he get a password reset link to reset the password, that’s the normal behaviour but it also should expire after some period of time. If it is not expiring and you can use the password reset link multiple times to reset the password. Then you can consider it as vulnerability.
How To Hunt:
- Send the password reset link to your email.
- Don`t open the password link just copy it and paste into any editor.
- Open your account.
- Go to your account settings.
- Under account, you will see Account Overview.
- Go to the Email and password Option and change the email and verify it.
- After changing the email go to your password reset link which you copied.
- Change your password.
- Reference link - https://hackerone.com/reports/685007
How To Hunt:
- First You need to create an account with a Valid Email Address
- After Creating An Account log out from your Account and Navigate to Forgot Password Page
- Request a Password Reset Link for your Account
- Use The Password Reset Link And Change The Password, After Changing the Password Login to Your Account
- Now Use The Old Password Reset Link To Change The Password Again
- If You Are Able to Change Your Password Again Than This Is a Bug
- Reference link - https://hackerone.com/reports/898841
- Normally passwords have 8–12–24 or up to 48 digits. if there is no word limit while keeping a password you can consider it as vulnerability. you can check when you setting the password while changing passwords or creating accounts as a long string which can lead to DOS.
How to Hunt:
- Go Sign up page and Forgot password page
- Fill the form and enter a long string in password
- Click on enter and you’ll get 500 Internal Server error if it is vulnerable.
- Reference link - https://hackerone.com/reports/840598
- Reference link - https://hackerone.com/reports/738569
How To Hunt:
- create An account On Your Target Site
- Login Into Two Browser With Same Account(Chrome, FireFox.You Can Use Incognito Mode As well).
- Change You Password In Chrome, On Seccessfull Password Change Referesh Your Logged in Account In FireFox/Incognito Mode.
- If you'r still logged in Then This Is a Bug
- Refferance Link - https://hackerone.com/reports/1069392
How To Hunt:
- Create your account
- Login your account
- Use cookie editor extension in browser
- Copy all the target cookies
- Logout your account
- Paste that cookies on another browser in cookie editor extension
- Refresh page if you are logged in than this is a session hijacking
- Refferance Link - https://hackerone.com/reports/1201396
- The HTTP referrer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. The Referer request-header contains the address of the previous web page from which a link to the currently requested page was followed. So it is possible that the password reset token is leaking via referrer request-header.
How To Hunt:
- Go to terget website and request for password reset
- Now check your email you will get your password reset link
- Now just copy the link and go to the private mode and paste the link
- Don't change the password before that click on any external links like social media links for avaliable one same website.
- Capture that request in burp suite.
- You will find reset token in referer header.
- Reference link - https://hackerone.com/reports/751581
- Navigate to: https://app.upchieve.org/resetpassword
- Then, enter the victim's email address
- Intercept this request
- Now, add your email also in the JSON body. like this: {"email":["[email protected]","[email protected]"]}
- Forward this request
- Now victim and you will receive the same password reset link
- By using that link which you just received in your email
- You can fully takeover the victim's account by reset password.
- Refferance - https://hackerone.com/reports/1175081
Example Payloads
- email=[email protected]&email=[email protected]
- email=[email protected]%0a%0dcc:[email protected]
- {"email":["[email protected]","[email protected]"]}
- email=[email protected],[email protected]
- email=[email protected]|[email protected]
- email=[email protected]%[email protected]
- Password reset poisoning is a technique whereby an attacker manipulates a vulnerable website into generating a password reset link pointing to a domain under their control. This behaviour can be leveraged to steal the secret tokens required to reset arbitrary users’ passwords and, ultimately, compromise their accounts.
How To Hunt:
- Intercept the password reset request in Burp Suite
- Add or edit the following headers in Burp Suite : Host: attacker.com, X-Forwarded-Host: attacker.com
- Forward the request with the modified header
- Look for a password reset URL based on the host header like : https://attacker.com/reset-password.php?token=TOKEN
- Refferance link - https://hackerone.com/reports/226659
How To Hunt:
- Check out Auth Bypass method, there is a method for OTP bypass via response manipulation, this can leads to account takeovers.
- Enter the wrong auth code / Password
- Capture a auth request in burpsuite and send it to repeater
- Check for the resoponse
- Change the respone by manipulating the following parameters
- {“code”:”invalid_credentials”} -> {“code”:”valid_credentials”}
- {“verify”:”false”} -> {“verify”:”true”}
How To Hunt:
- Create an account on the website.
- Go to profile section. And Change & update your details in the name parameter and before saving it Open Burp suite, turn the proxy on and then click on Save.
- Now capture the request in Burp suite and send it to the Repeater tab.
- Now log out from the website and go back to the Burp suite.
- Now change the details email & name parameters and click on "Go" in the repeater tab.
- Now you will be able to see 200 ok response from the web server.
- Now, login into your account and go to the Profile section to confirm
How To Hunt:
First Method
- Register account with mobile number and request for OTP.
- Enter incorrect OTP and capture the request in Burpsuite.
- Do intercept response to this request and forward the request.
- response will be {"verificationStatus":false,"mobile":9072346577","profileId":"84673832"}
- Change this response to {"verificationStatus":true,"mobile":9072346577","profileId":"84673832"}
- And forward the response.
- You will be logged in to the account.
Second Method
- Go to login and wait for OTP pop up.
- Enter incorrect OTP and capture the request in Burpsuite.
- Do intercept response to this request and forward the request.
- response will be error
- Change this response to success
- And forward the response.
- You will be logged in to the account.
Third Method
- Register 2 accounts with any 2 mobile number(first enter right otp)
- Intercept your request
- click on action -> Do intercept -> intercept response to this request.
- check what the message will display like status:1
- Follow the same procedure with other account but this time enter wrong otp
- Intercept respone to the request
- See the message like you get status:0
- Change status to 1 i.e, status:1 and forward the request if you logged in means you just done authentication bypass.
22. Bypassing OTP in registration forms by repeating the form submission multiple times using repeate
How To Hunt:
- Create an account with a non-existing phone number
- Intercept the Request in BurpSuite
- Send the request to the repeater and forward
- Go to Repeater tab and change the non-existent phone number to your phone number
- If you got an OTP to your phone, try using that OTP to register that non-existent number
How To Hunt:
-
The first step is to test what happens when you supply an arbitrary, unrecognized domain name via the Host header.
-
Receiving an Invalid Host header response, you might find that your request is blocked as a result of some kind of security measure. that time an attacker use this technique to bypass the security measure to perform host header attack.
- Host: vulnerable-website.com:attacker-website.com
- Host: attacker-website.com.vulnerable-website.com
- Inject duplicate Host headers
- Host: vulnerable-website.com
- Host: attacker-website.com
- Supply an absolute URL
- GET https://vulnerable-website.com/ HTTP/1.1
- Host: attacker-website.com
- Add line wrapping
- GET /example HTTP/1.1
- Host: attacker-website.com
- Host: vulnerable-website.com
- Inject host override headers
- GET /example HTTP/1.1
- Host: vulnerable-website.com
- X-Forwarded-Host: attacker-website.com
- Refferance Link - https://hackerone.com/reports/13286
1. Response Manipulation
- In response if "success":false
- Change it to "success":true
2. Status Code Manipulation
- If Status Code is 4xx
- Try to change it to 200 OK and see if it bypass restrictions
3. 2FA Code Leakage in Response
- Check the response of the 2FA Code Triggering Request to see if the code is leaked.
4. JS File Analysis
- Rare but some JS Files may contain info about the 2FA Code, worth giving a shot
5. 2FA Code Reusability
- Same code can be reused
6. Lack of Brute-Force Protection
- Possible to brute-force any length 2FA Code
7. Missing 2FA Code Integrity Validation
- Code for any user account can be used to bypass the 2FA
8. CSRF on 2FA Disabling
- No CSRF Protection on disabling 2FA, also there is no auth confirmation
9. Password Reset Disable 2FA
- 2FA gets disabled on password change/email change
10. Backup Code Abuse
- Bypassing 2FA by abusing the Backup code feature
- Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA reset restrictions
11. Clickjacking on 2FA Disabling Page
- Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
12. Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
- If the session is already hijacked and there is a session timeout vulnerbility
13. Bypass 2FA with null or 000000
- Enter the code 000000 or null to bypass 2FA protection.
Steps:-
- Enter “null” in 2FA code
- Enter 000000 in 2FA code
- Send empty code - Someone found this in grammarly
- Open new tab in same browser and check if other API endpoints are accessible without entering 2FA
14. Google Authenticator Bypass Steps:-
- Set-up Google Authenticator for 2FA
- Now, 2FA is enabled
- Go on password reset page and change your password
- If you are website redirect you to your dashboard then 2FA (Google Authenticator) is bypassed
15. Bypassing OTP in registration forms by repeating the form submission multiple times using repeater Steps :-
- Create an account with a non-existing phone number
- Intercept the Request in BurpSuite
- Send the request to the repeater and forward
- Go to Repeater tab and change the non-existent phone number to your phone number
- If you got an OTP to your phone, try using that OTP to register that non-existent numbe
There are two ways to do that
1. Customizing HTTP Methods
-
If the request goes on GET try to change it to POST, PUT, etc.,
-
If you wanna bypass the rate-limit in API's try HEAD method.
-
Host: bing.com
-
X-Host: bing.com
-
X-Forwarded-Server: bing.com
-
X-HTTP-Host-Override: bing.com
-
Forwarded: bing.com
-
X-Forwarded: bing.com
-
X-Forwarded-By: bing.com
-
X-Forwarded-For: bing.com
-
X-Forwarded-For-Original: bing.com
-
X-Forwarder-For: bing.com
-
X-Forward-For: bing.com
-
X-Forwarded-Host: bing.com
-
X-Remote-Addr: bing.com
2. Adding Headers to Spoof IP
- Host: 127.0.0.1
- X-Host: 127.0.0.1
- X-Forwarded-Server: 127.0.0.1
- X-HTTP-Host-Override: 127.0.0.1
- Forwarded: 127.0.0.1
- X-Forwarded: 127.0.0.1
- X-Forwarded-By: 127.0.0.1
- X-Forwarded-For: 127.0.0.1
- X-Forwarded-For-Original: 127.0.0.1
- X-Forwarder-For: 127.0.0.1
- X-Forward-For: 127.0.0.1
- X-Forwarded-Host: 127.0.0.1
- X-Remote-Addr: 127.0.0.1
- X-Original-Remote-Addr: 127.0.0.1
- X-Original-Url: 127.0.0.1
- X-Proxy-Url: 127.0.0.1
- X-Rewrite-Url: 127.0.0.1
- X-Real-Ip: 127.0.0.1
- X-Remote-Addr: 127.0.0.1
- X-Custom-IP-Authorization:127.0.0.1
- X-Originating-IP: 127.0.0.1
- X-Remote-IP: 127.0.0.1
You must have encountered a Google CAPTCHA while testing Website. These are some ways with the help of which you can bypass it.
- Try Removing CAPTCHA Parameter from the body of the Request.
- Try adding some String of the same length as that of the Parameter.
- Keep the Intercept ON, Send Request to Intruder. Sometimes, It may give unexpected results.
- Adding Null Byte ( %00 ) at the end of the Email can sometimes Bypass Rate Limit.
- Try adding a Space Character after a Email. ( Not Encoded )
- Some Common Characters that help bypassing Rate Limit : %0d , %2e , %09 , %20
-
The impact of authentication vulnerabilities can be severe. If an attacker bypasses authentication or brute-forces their way into another user's account, they have access to all the data and functionality that the compromised account has. If they are able to compromise a high-privileged account, such as a system administrator, they could take full control over the entire application and potentially gain access to internal infrastructure.
-
Even compromising a low-privileged account might still grant an attacker access to data that they otherwise shouldn't have, such as commercially sensitive business information. Even if the account does not have access to any sensitive data, it might still allow the attacker to access additional pages, which provide a further attack surface. Often, high-severity attacks are not possible from publicly accessible pages, but they may be possible from an internal page.
- Implement Captcha: Captcha is a common system to verify a human is a human on websites and can stop brute force attacks in progress
- Implement X-Rate-Limiting Header: We can set rate limiting with this header.
Thanks For Reading 😊
Profile Links:
- Youtube channel - https://www.youtube.com/@suresh_shankar/
- Linkedin - https://www.linkedin.com/in/bug-hunter-suresh/