Scribd
Upload
8 views17 pages

Forceful Browsing in Authentication Attacks

Uploaded by

Sushil Yadav
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
8 views17 pages

Forceful Browsing in Authentication Attacks

Uploaded by

Sushil Yadav
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

Attacking Authentication and

Authorization
CSE 591 – Security and Vulnerability Analysis
Spring 2015

Adam Doupé
Arizona State University
http://adamdoupe.com
Definitions
• Authentication
– Who is the user?
– Breaking means impersonating another user
• Authorization
– What is the user allowed to do?
• Admin, regular, guest, …
– Attacking means performing actions that you're not
allowed to do
• Often intertwined
– If you're able to break the authentication to log in as a
different user, then you've also broken authorization

Adam Doupé, Security and Vulnerability Analysis


Attacking Authentication
• Eavesdropping credentials/authenticators
• Brute-forcing/guessing
credentials/authenticators
• Bypassing authentication
– SQL Injection (later)
– Session fixation

Adam Doupé, Security and Vulnerability Analysis


Eavesdropping
Credentials and Authenticators
• If the HTTP connection is not protected by SSL
it is possible to eavesdrop the credentials:
– Username and password sent as part of an HTTP
basic authentication exchange
– Username and password submitted through a form
– The authenticator included as cookie, URL
parameter, or hidden field in a form
• The "secure" flag on cookies is a good way to
prevent accidental leaking of sensitive
authentication information
Adam Doupé, Security and Vulnerability Analysis
Brute-forcing
Credentials and Authenticators
• If authenticators have a limited value domain they can be
brute-forced (e.g., 4-digit PIN)
– Note: lockout policies might not be enforced in mobile web
interfaces to accounts
• If authenticators are chosen in a non-random way they can
be easily guessed
– Sequential session IDs
– User-specified passwords
– Example: http://www.foo.bar/secret.php?
id=BGH10110915103939 observed at 15:10 of November 9,
2010
• Long-lived authenticators make these attacks more likely to
succeed
Adam Doupé, Security and Vulnerability Analysis 5
Bypassing Authentication
• Form-based authentication may be bypassed using carefully crafted
arguments
• Authentication, in certain case can be bypassed using forceful
browsing
• Weak password recovery procedures can be leveraged to reset a
victim’s password to a known value
• Session fixation forces the user’s session ID to a known value
– For example, by luring the user into clicking on a link such as:
<a href=http://foo.com/vulnerable.php?SESSIONID=1234>foo</a>
• The ID can be a fixed value or could be obtained by the attacker
through a previous interaction with the vulnerable system

Adam Doupé, Security and Vulnerability Analysis 6


Session Fixation

(1) GET /login.py

(2) session=4242

(3) GET /form.py?


user=joe&pwd=foo&session=4242
(4) OK
bank.com
(4) GET /balance.py?session=4242

Adam Doupé, Security and Vulnerability Analysis 7


Session Fixation
Attacker

(1) GE
T /login.
py
(2) se
s sion=
(6) GE 55181
T /balan
ce.py
?sess
ion=5
5181
(3) Attacker lures victim into clicking on
http://bank.com/login.py?session=55181
o n = 5 5181 55181
se ss i sio n =
/ lo g in.py? = f o o &ses
T &pwd bank.com
( 4 ) GE r = jo e
r m .py?use
T /f o
( 5 ) GE

Victim
Adam Doupé, Security and Vulnerability Analysis 8
Session Fixation
• If the application blindly accepts an existing session
ID, then the initial setup phase is not necessary
• Session IDs should always be regenerated after login
and never allowed to be “inherited”
• Session fixation can be composed with cross-site
scripting to achieve session id initialization (e.g., by
setting the cookie value)

• See: M. Kolsek, “Session Fixation Vulnerability in


Web-based Applications”
Adam Doupé, Security and Vulnerability Analysis 9
Authorization Attacks
• Path/directory traversal attacks
– Break out of the document space by using relative paths
• GET /show.php?file=../../../../../../etc/passwd
• Paths can be encoded, double-encoded, obfuscated, etc:
– GET show.php?file=%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

• Forceful browsing
– The Web application developer assumes that the application will
be accessed through links, following the “intended paths”
– The user, however, is not bound to follow the prescribed links and
can “jump” to any publicly available resource
• Automatic directory listing abuse
– The browser may return a listing of the directory if no index.html
file is present and may expose contents that should not be
accessible
Adam Doupé, Security and Vulnerability Analysis 10
Authorization Attacks
• Parameter manipulation
– The resources accessible are determined by the
parameters to a query
– If client-side information is blindly accepted, one can simply
modify the parameter of a legitimate request to access
additional information
• GET /cgi-bin/profile?userid=1229&type=medical
• GET /cgi-bin/profile?userid=1230&type=medical
• Parameter creation
– If parameters from the URL are imported into the
application, can be used to modify the behavior
• GET /cgi-bin/profile?userid=1229&type=medical&admin=1

Adam Doupé, Security and Vulnerability Analysis 11


PHP register_global
• The register_global directive makes
request information, such as the
GET/POST variables and cookie
information, available as global variables
• Variables can be provided so that
particular, unexpected execution paths are
followed

Adam Doupé, Security and Vulnerability Analysis 12


PHP – register_globals
<html>
<head> <title>Feedback Page</title></head>
<body>
<h1>Feedback Page</h1>
<?php
if ($name && $comment) {
$file = fopen("user_feedback", "a");
fwrite($file, "$name:$comment\n");
fclose($file);
echo "Feedback submitted\n";
}
?>
<form method=POST>
<input type="text" name="name"><br>
<input type="text" name="comment"><br>
<input type="submit" name="submit" value="Submit">
</form>
</body>
</html>

Adam Doupé, Security and Vulnerability Analysis


Example
<?php

if ($_GET["password"] == "secretunguessable1u90jkfld") {
$admin = true;
}
if ($admin) {
show_secret_admin_stuff();
}

?>

Adam Doupé, Security and Vulnerability Analysis


– GET /example.php?password=foo&admin=1

<?php

if ($_GET["password"] == "secretunguessable1u90jkfld") {
$admin = true;
}
if ($admin) {
show_secret_admin_stuff();
}

?>

Adam Doupé, Security and Vulnerability Analysis


Server (Mis)Configuration:
Unexpected Interactions
• FTP servers and web servers often run on the
same host
• If data can be uploaded using FTP and then
requested using the web server it is possible to
– Execute programs using CGI (upload to cgi-bin)
– Execute programs as web application
–…
• If a web site allows one to upload files (e.g.,
images) it might be possible to upload content that
is then requested as a code component (e.g., a
PHP file)
Adam Doupé, Security and Vulnerability Analysis 16
Summary
• Attacks against Authentication and
Authorization allow one to trick the web
applications
– Thinking that you're someone else
– Giving you access to something that you
shouldn't

Adam Doupé, Security and Vulnerability Analysis

You might also like