![]() The payload from this request is the valid stay-logged-in cookie for Carlos's account. Notice that only one request returned a response containing Update email. ![]() When the attack is finished, the lab will be solved. Remove your own password from the payload list and add the list of candidate passwords instead.Ĭhange the Add prefix rule to add carlos: instead of wiener. Make the following adjustments and then repeat this attack: ![]() This confirms that the payload processing rules work as expected and you were able to construct a valid cookie for your own account. Notice that the generated payload was used to successfully load your own account page. On the Settings tab, add a grep match rule to flag any responses containing the string Update email. These rules will be applied sequentially to each payload before the request is submitted.Īs the Update email button is only displayed when you access the /my-account page in an authenticated state, we can use the presence or absence of this button to determine whether we've successfully brute-forced the cookie. Under Payload processing, add the following rules in order. Add your own password as a single payload. In Burp Intruder, notice that the stay-logged-in cookie has been automatically added as a payload position. In the most recent GET /my-account, highlight the stay-logged-in cookie parameter and send the request to Burp Intruder. We now know that the cookie is constructed as follows: Hash your password using MD5 to confirm that this is the case. Given that the plaintext is your username, you can make an educated guess that this may be a hash of your password. Study the length and character set of this string and notice that it could be an MD5 hash. Notice that this sets a stay-logged-in cookie.Įxamine this cookie in the Inspector panel and notice that it is Base64-encoded. With Burp running, log in to your own account with the Stay logged in option selected. Securing your authentication mechanisms.Vulnerabilities in OAuth authentication.Vulnerabilities in other authentication mechanisms.Brute-forcing two-factor authentication codes.Bypassing two-factor authentication with flawed verification.Vulnerabilities in multi-factor authentication.Vulnerabilities in password-based authentication.Log in to Carlos's account using the password that you identified and access his account page to solve the lab. Burp Suite is one of the most popular penetration testing and bug bounty tools. Make a note of the password from the Payload 2 column. Recursion (When doing directory brute force) Post, headers, and authentication data brute forcing Output to HTML Colored output Hide results by return code, word numbers, line numbers, regex. There should only be a single 302 response for requests with the username carlos. When the attack finishes, filter the results to hide responses with a 200 status code. Make sure that your password is aligned with your username in the other list.Īdd this list to payload set 2 and start the attack. Make sure that your username is first and that carlos is repeated at least 100 times.Įdit the list of candidate passwords and add your own password before each one. Add a list of payloads that alternates between your username and carlos. ![]() On the Payloads tab, select payload set 1. By only sending one request at a time, you can ensure that your login attempts are sent to the server in the correct order. On the Resource pool tab, add the attack to a resource pool with Maximum concurrent requests set to 1. Create a pitchfork attack with payload positions in both the username and password parameters. However, notice that you can reset the counter for the number of failed login attempts by logging in to your own account before this limit is reached.Įnter an invalid username and password, then send the POST /login request to Burp Intruder. Observe that your IP is temporarily blocked if you submit 3 incorrect logins in a row. With Burp running, investigate the login page.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |