Comprehensive Guide on Broken Authentication & Session Management
In today’s digital landscape, merely having a strong password isn’t sufficient to safeguard user accounts. This article delves into the intricacies of a Broken Authentication attack, highlighting how attackers can exploit vulnerabilities in authentication and session management to gain unauthorized access. By understanding these threats, we can better fortify our applications against such breaches.
Does just keeping secure and a strong password can really protect you? Today in this article we’ll learn, how an attacker analyzes and take over the user’s account that have been logged in inside some weakly authenticated web-application with an immune password.
Table of Content
- Introduction to Authentication
- Broken Authentication and Session Management
- Sessions
- Cookies
- Impact of Broken Authentication
- Broken Authentication
- Credential Stuffing
- Insecure Web-Applications
- Insecure Login forms
- Logout management
- Bypassing Forget Password Option
- Improper Session Management
- Administrative Portal Login
- Session Hijacking
- Using the Browser’s Plugin
- Using Burpsuite
- Mitigation Steps
Introduction to Authentication
Authentication is the process of validating a user who is claiming to be a genuine one. Thus in a web-application, password plays a major role in the authentication phase. In order to get the desired access, the user must enter his username and password. Furthermore, he sends these credentials to the server for the authentication process.
However the server checks them into its database and if found valid, it generates a session and passes it to the browser in the form of Cookie Session ID.
What is Broken Authentication & Session Management
But what if an intruder bypasses this authentication process either by guessing up the username and passwords or even by capturing up an active session of any particular user. Thus, we consider this scenario as Broken Authentication, where developers often do not implement the authentication and session management of the web applications correctly, leading attackers to gain unauthorized access to the user’s data.
From the above picture you can see that the attacker is trying to get into the web-application by the credential stuffing method. Where he is having a bunch of breached passwords which thus in-turn helps him to gain an authenticated session.
A website or application is vulnerable to Broken Authentication when:
- Username and password are easy to guess using fuzzing or brute force.
- Password Does not match Password complexity policy.
- Enumeration of username/password at the of Authentication failure response invalid username or an invalid password.
A website or application is vulnerable to Session Management when:
- Login credentials are not protected when stored and lacking hashing and salt.
- Transmission of username and password over an unencrypted channel such as HTTP
- Session ID exposes in URL.
- User session or authentication tokens are not timeouts after user logout.
In order to explore more, let’s take a deep dive and learn about the sessions and the cookies concepts.
Sessions
When a user made any changes in a web application like a sign in or sign out, the server does not know who that person is. In order to solve this issue, sessions were introduced, which holds the information of a single user that can be reused across several web pages over a particular web-application.
Example: login ID user name and password.
Therefore, a system generates a unique identification number in the form of a hash for that specific session, consisting of a random string of 32 hexadecimal numbers such as 5f7dok65iif989fwrmn88er47gk834, and thus it is known as sessionID.
Cookies
A cookie is a small piece of data similar to the sessions, and the server sends them to the browser. Thus, the user’s computer stores this data while he/she is browsing. Cookies have a short time period due to their preset expiry date and time.
Cookies are classified into major categories but the most common one is –
Session Cookie
These cookies die when the browser closes because the browser’s temporary memory stores them. E-commerce websites majorly use them so the user can continue browsing without losing what he put in his cart and can finally check out. The system deletes the session cookie only when it reaches its expiration date or when a user shuts down the browser.
To know more about cookies and session management read from here
Impact of Broken Authentication
Broken Authentication is the vulnerability which allows the attacker to gain the user data without proper authentication. This vulnerability arises in the web application where the sessions are not properly sanitized. Therefore it stood as the second most critical vulnerability in the OWASP top10 having “a CVSS Score of 8.8”.
However, the Broken Authentication vulnerability has been majorly reported under
- CWE- 287 Improper Authentication
- CWE-345 Insufficient Verification of Data Authenticity
- CWE-522 Insufficiently Protected Credentials
To learn more about the other CWE categories for Broken Authentication and Session Management click here.
Vulnerability Walkthrough to demonstrate Various Attack
Until now you might be clear with the concept of authentication and aware with the fact that how crucial the sessions are. So now it’s time to exploit and analyze these vulnerabilities over the most vulnerable platforms i.e. bWapp and WebGoat.
Credential Stuffing
During the major data breaches, it is easy for the attackers to grab a list of commonly used usernames and passwords. Thus using these different login pairs, they are able to gain the actual user’s credential of a particular web-application. Credential stuffing somewhere also known as bruteforcing or fuzzing.
Capturing and Configuring the HTTP Request in BurpSuite
Therefore we’ll try to bypass this high-security captcha login using one of the best web-fuzzing tools i.e. Burpsuite.
Boot in your burpsuite in order to capture the ongoing HTTP request, by setting up the proxy server at the localhost and enabling the intercept option in the proxy tab.
As soon as you grab the request just send it directly to the intruder.
Now it’s time to configure our attack!!
Switch to the Position tab and choose the Attack type to Cluster Bomb, further add up the attack position by simple clearing all the preset positions with the Clear $ button and adding the new positions with the Add $ button.
From the above image, you can see that, I’ve set the attack position over the login and the password fields, where my dictionaries would work. Then in the Payload section, we’ll be adding up our dictionaries.
Choose the Payload Set 1 and 2 simultaneously one after the other and include our lists in both of them by simply clicking on the Load button and at last click on Start Attack.
Launching the Attack and Identifying Valid Credentials
From the below image, you can see that we have started our attack. There is a fluctuation in the length section, and our lists are working in the way we want. I’ve double-clicked over the length section in order to check the lowest value first.
Here, I was able to see that the payload 1 and 2 with bee and bug inputs respectively are giving a successful login in the Response section. Therefore I was able to get into the web-application by entering the credentials as a bee : bug.
Insecure Login Forms
As mentioned above, when someone stores login credentials without using proper security measures, such as failing to add hashing or salt values with the username and password at the storage location, they can create insecure logins that are vulnerable to session management.
Simply right-click anywhere on the form screen and choose View Page Source option.
While analyzing the HTML form code, I identify the username and the password values as tonystark and I am Iron Man hidden with the white font.
Insecure Logout Management
This is one of the most common vulnerabilities, where the developers simply setup the hyperlinks of the logout page at the logout text without having any concern about the generated session and do not validate the weather the session ID is getting timeout or not once the user logout from the application.
I’ve set the “Choose your bug” option at “Broken Authentication –Logout Management”. From the below image you can see that as I’ve clicked on the OK option in the popped up confirmation field. Thus further I had been redirected to the logout page.
Now let’s try to simply click on the back button. Great!! We are back into the account again. That means we were just redirected to the new page but our session cookies were not expired yet.
Bypassing Forget Password Option
Forget Password is the most common feature of every web-application. The majority of applications use it, in order to send a reset password link to their users at their registered email addresses. But what, if we exploit this feature and change the credentials of the users without their concern or even without capturing anything from their browsers?
Let’s try how we can exploit it!!
Exploiting the Password Reset Flow in WebGoat
I’ve logged in into the WebGoat’s platform by creating a new user account as hackingarticles (Attacker) in order to exploit this vulnerability. To install and setup WebGoat click here.
Note: Here at port 8080 the Webgoat server is enabled for HTTP service and at port 9090 the webwolf is enabled for SMTP.
From the left-hand side, the panel selects Broken Authentication following with Password Reset field. Thus selecting the 6th option from the top, we’ll be redirected to our desired task.
Dragging to the bottom we’ll find the Account Access form, below there we can find a “forgot password” option.
As soon as we click on it we’ll be redirected to the “Forgot Your Password” page.
Now, it’s time to start our attack, I’ve entered hackingarticles@webgoat-cloud.org as the registered email address.
From the above image, you can see that we got the response as “An email has been sending to hackingarticles@webgoat-cloud.org”
Now let’s surf the WebWolf’s webpage and enter the same credentials (Attack’s) that you have used while logging into WebGoat
http://192.168.0.11:9090/login
From the below image, you can see that I’ve received an email with a reset link in order to set up the new password.
Hijacking the Target User’s Password
Now it’s time to break and get into the victim’s account i.e.“tom’s account” who is my target and with the help of footprinting, I have identified his email ID. Back to the WebGoat server, we’ll write the tom’s email address as tom@webgoat-cloud.org. But this time we’ll capture the request in the burpsuite before sending it to the server.
As soon as we capture the “Post Request”, we’ll send it all to the repeater.
Now we’ll manipulate the request and send it to our server i.e. the server we set at 192.168.0.11:9090.
From the above image, you can see that “An email has been send to tom@webgoat-cloud.org”. But this email has actually been sent over our WebWolf server.
Let’s get back to our “WebWolf” application and check what we have received as in our Incoming Request.
From the above image, you can see that I’ve successfully manipulated the WebGoat server, which sends the request over my account. Copy the unique Id as highlighted, which we will use in our future case.
We’re now almost done, go back to the inbox of “hackingarticles@webgoat-cloud.org” and open that reset link that we got earlier.
From the above image you can see that, in the URL section, we’re having a unique ID here too. Let’s change this unique ID with the one we copied earlier.
Woah!! We are redirected to a new “Reset your password” page, seems like we’re changing Tom’s credentials.
I’ve now set the password here as “tomandjerry”. And fired the “SAVE” button.
Let’s check whether we’re able to change the tom’s credentials or not.
Go back to the WebGoat web-application and select the option to “Account Access” and enter the following credentials:
tom@webgoat-cloud.org tomandjerry
Great!! We’ve successfully changed Tom’s password just with his email account, without knowing who is tom.
Improper Administrative Login
Attackers consider administrative logins one of the most important and the most crucial vulnerabilities. This occurs due to unsanitized sessions generated from the server’s end.
Let’s try to exploit this vulnerability and get into the web-application with the administrative privileges.
Boot back into your bWapp server and select “Session Management – Administrative Portals” in the “Choose Your Bug” option keeping the security at low.
From the above image you can see that after the “.php?” we’ve got “admin=0”, let’s manipulate this but “admin=1” and check out the grabbed result.
Simple!! We’ve unlocked this page with the administrative rights.
Let’s try to increase up the level and set it to “medium”, now checking the same in the URL, we won’t be able to find anything. So is this vulnerability patched?
Wait, let’s try to capture its cookies and analyze them.
Look there it is, the flaw is still the same, but this time it is in the cookies. So now let’s check whether our manipulation will work or not?
I’ve again manipulated the “admin=0” to “admin=1”
From the below image you can see that we’ve successfully unlocked the webpage again with some simple manipulations
Session Hijacking
Until now, we all are aware that a unique session ID generates for every different user, thus when an attacker sniffs the network traffic via a man-in-the-middle attack or via Cross-Site Scripting, they steal the session ID or the session tokens of the legitimate user’s authenticated session to gain an unauthorized login. This methodology is known as Session Hijacking.
The idea about session hijacking would be more clear from this image.
Here the user enters his credentials into the web-application, thus application sends them to the server for authentication. Therefore as soon as the system finds the credentials valid, the server generates a session and shares it with the browser, such that the user does not need to enter his credentials every time for every single page he requests.
But the attacker sniffs the network and steals these freshly generated session IDs before the system sends them to the user. Now the attacker just needs to send these session IDs to the web server, and the server tries to match them with its database-stored session IDs. If they both match, the server responds to the attacker with an HTTP 200 OK reply, and the attacker gains successful access without submitting proper identification.
So it’s time to play with these sessions and hijack some accounts.
Session Hijacking using Browser’s extensions
Isn’t it great if you could simply get into other’s account without bruteforcing or resetting the password or by not finding any flaws in the web-application?
To perform all this, we will use a simple browser extension, i.e., “Cookie Editor,” which allows us to import and export the browser-generated cookies by simply copying them into our clipboard, which we can further use to gain authenticated access.
Let’s Start!!
In the below image, you can see that I have enabled the Cookie Editor in my browser and logged in to bWapp as “Hackingarticles: 123.” Now, I will click on the “Export” button from the provided options to export all the cookies of this particular session.
Since I’ve successfully exported the user’s cookies now it’s time to import them into the attacker’s machine. From the below image you can see that the user “bee” is active with an enabled cookie editor extension.
Now let’s try to import these cookies into the attacker’s browser by pasting the exported cookies into the Cookie Editor console.
As I hit the “enter” button the exported cookies of the user hackingarticles will be imported directly into the browser where the user bee resides.
So everything is up now, just simply refresh the browser and there it goes. From the below image you can see that we’ve successfully captured the hackingarticles session with just 3 clicks.
Session ID exposure in URL
Many times the developers fail to manage the privacy of the web-applications by leaving some basic flaws such as disclosing the session ID in the URLs, which allows the attacker to steal these session ids by simply monitoring up the network and manipulate them in order to exploit the authenticated user to compromise his account.
For this exploitation, we’ll be using the bWAPP, selecting up the “Choose your bug” option to “Session Management – Session ID in URL” and setting the security level to “low”.
From the above image, you can see that the browser displays the “PHPSESSID=” of the user “Hackingarticles,” so just copy the same into a text file.
Similarly, we’ll copy the “PHPSESSID=” from the user “Bee” and paste it into the same text file.
From the above image, you can see that both these session ID’s are different.
Thus, it’s time to exploit this vulnerability.
In the Bee’s account, we’ll go to the “Change Password” option, and will try to change the password.
But before hitting up the “change” button, we’ll run our favourite tool “burpsuite” and capture the ongoing HTTP Request.
The below image shows that we’ve successfully captured the HTTP request, and we are again presented with the “PHPSESSID”.
Now we’ll be sharing this captured request to the repeater and replace the session ID, and further will check its generated response.
From the above image, you can see that we changed the user from bee to Hackingarticles as we hit the Send button.
We’re almost there, just change the “PHPSESSID=” with the one that we’ve used in our previous step, in the Proxy tab.
As soon as I hit the Forward button, I will be redirected to a new web page.
Great!! We are back into Hackingarticles account by simply manipulating up the SessionID.
Mitigation Steps
- Developers should setup the Session ID’s, username, password, session tokens in the most encrypted way where they stored.
- Validate appropriate session timeout and invalidated during logout for session tokens.
- The client’s or the Users should use multi-factor authentication and even follow-up with strong password policies in order to increase the password complexities.
- Do not expose Session ID’s in the URL.
- Use the Encrypted channel for transmitting username and password to the server.
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here