Monday 24 January 2022

Broken Authentication - TryHackMe - OWASP Top 10


Authentication and session management constitute core components of modern web applications. Authentication allows users to gain access to web applications by verifying their identities. The most common form of authentication is using a username and password mechanism. 

 A user would enter these credentials, the server would verify them. If they are correct, the server would then provide the users’ browser with a session cookie. A session cookie is needed because web servers use HTTP(S) to communicate which is stateless. Attaching session cookies means that the server will know who is sending what data.

Example:

By using the TryHackMe lab try to access the IP address and access the application. try to register a username darren, you'll see that user already exists so then try to register a user darrenand you'll see that you are now logged in and will be able to see the content present only in Darren's account which in our case is the flag that you need to retrieve.

Try to login to the application and access Darren and Arthur user’s account. To login to the Darren account try creating a user with same username with a space before providing the username and access the flag. And the similar goes with the Arthur’s account.

Step 1: Try to provide username as “Darren” and create a user and an error state “The user is already registered”.



Step 2: Try to register “Darren” user with a space provided before the username and the application logs into the actual Darren user and flags are provided. The same method is applied for “Arthur” user.






The below flag is used for the Darren user in the application.



The below flag is used for the Arthur user in the application.



Remediation:

There can be various mitigation for broken authentication mechanisms depending on the exact flaw:

  • To avoid password guessing attacks, ensure the application enforces a strong password policy. 
  • To avoid brute force attacks, ensure that the application enforces an automatic lockout after a certain number of attempts. This would prevent an attacker from launching more brute force attacks.
  • Implement Multi Factor Authentication - If a user has multiple methods of authentication, for example, using username and passwords and receiving a code on their mobile device, then it would be difficult for an attacker to get access to both credentials to get access to their account.



Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)