Broken Authentication

Authentication is the process by which a web application verifies the identity of the user making a request. It typically takes place at the application server, which compares the credentials submitted by the client against records held in a credential store. When the credentials match, the server issues a session token that is returned on every subsequent request until the session expires, and the application uses that token to decide what the request is allowed to do.

An authentication bypass is any attack that allows a user to reach functionality restricted to a given account without supplying the correct credential for that account. Bypass attacks do not always require guessing a password or stealing a session token. Many succeed by exploiting assumptions the developer made about how the authentication process would be used, or by modifying data that the server trusts without independent verification.

Target Environment

Start the machine using the button at the top of this task and wait for the IP address to appear in the banner before continuing. Every tool used in the room is pre-installed on the AttackBox, which can be launched with the green button at the top of the screen.

Learning Objectives

By the end of this room, you will be able to:

• Enumerate valid usernames from differences in a signup form's response using ffuf
• Brute-force a login form with a custom username list and a password wordlist
• Identify and exploit a parameter pollution flaw in a password reset workflow with curl
• Modify plain text, hashed, and base64-encoded cookies to change the authenticated state the server sees