Broken Authentication
Last updated
Last updated
If the operations of adding a new email address or changing an existing one do not require password confirmation, session hijacking, XSS or CSRF can lead to account takeover.
Try to follow a confirmation link for account A
within the session of account B
within an email confirmation flow. If an application is vulnerable, it will link the verified email to account B
. In this case, the attack flow may look like:
An attacker links attacker@website.com
to their account.
An attacker sends a confirmation link to a victim.
A victim follows the link from an email while logged into an application.
An application links attacker@website.com
to a victim.
References:
A method for adding new emails can accept several email address in a single request. However, the method can create a one-time token based on only one email, but send an email with a recovery link to all passed emails at once. For instance, if an application is vulnerable to such an attack, on the following request:
an application sends the same confirmation link to two email addresses.
You can also try the following payloads:
Another similar case is if there is a business logic vulnerability when confirmation link is sent to a wrong email. For example, if an application sends a confirmation link to an already added, main email, instead of an unconfirmed one.
References:
If an application allows you to create users without an email confirmation process, you can try to abuse that to get a new user with a pre-confirmed email. This is possible at least in the following cases:
An application allows creation of bot users that have pre-defined confirmed emails.
SCIM provisioning functions.
OAuth authentication via a vulnerable service that allows using unconfirmed accounts for authentication.
References:
If an application allows using unconfirmed emails, try to abuse this behavior in flows where an application or other applications/systems rely on an email address. For example:
If there are applications/systems that blindly trust the data of a vulnerable application, you can try to abuse this trust. For example, if an application can be used as an OAuth authorization server, try using an account with an unconfirmed email to authenticate to a third-party application using OAuth, you can find more details at OAuth 2.0 Vulnerabilities: Abusing accounts with unconfirmed email.
Try using unconfirmed emails to preoccupy emails that may be used by other users or used internally by an application. In this case, you can block some application functions for all or specific users.
If some functions must not be available for users who have not confirmed their email, check that these functions are really not available for them. Additionally, make sure the REST and GraphQL APIs also abide by the same policy.
Confirmation token may be generated using a vulnerable generation algorithm, which may lead to the possibility of predicting the generated values. If you manage to predict tokens you will be able to generate valid confirmation tokens for any emails.
An application can return unknown data in response when performing an operation. These can be requested passwords, generated OTP, cookies with additional privileges, user data, detailed error messages, and etc. Check the response from the server for such data.
An applications can use Host
header value for generating a password recovery link. If an application is vulnerable to Host
header poisoning, you can affect the link and specify your domain name. As a result, if a victim follows the link from the email, a recovery token will leak to your domain.
There are several ways to implement Host
header poisoning.
You can try to replace the Host
header on your domain. Examples of vulnerable requests:
Or bypass host validation (see SSRF: Broken parser):
References:
Components in a delivery chain, such as proxies, can pass an original host requested by the client using additional of HTTP headers:
You can try to use these headers for identifying the original host requested by the client in the Host
request header:
References:
You can try to specify several Host
headers. Example of vulnerable request:
Password recovery method can accept multiple recovery emails in one request. However, the method can search for an account to create a one-time token based on only one email, but send an email with a recovery link to all passed emails at once. For instance, if an application is vulnerable to such an attack, on the following request:
an application sends the same recovery link to two email addresses.
You can also try the following payloads:
References:
Try to request an one-time token for your account and use them to recover a victim's account:
Successful password recovery should end previously created sessions. If this does not happen, an victim will not have mechanisms for managing the security of their account. As a result, an attacker will be able to maintain an active session for an extended period of time.
The Referer HTTP request header contains an absolute or partial address of the page that makes the request. The Referer
header allows a server to identify a page where people are visiting it from. This data is used for analytics, logging, optimized caching, and more.
The Referer header can contain an origin
, path
, and querystring
, and may not contain URL fragments (i.e. #section
) or username:password
information. The request's referrer policy defines the data that can be included, see Referrer-Policy.
A page with a password recovery, a link to which an application sends by email, can load third-party scripts, for instance, analytics, or contain links to third-party resources, for instance, social networks. If the password recovery link is passed into the Referer
header when requesting these resources, an one-time token is leaked to a third-party resource, since it is passed to the querystring
.
References:
Recovery token may be generated using a vulnerable generation algorithm, which may lead to the possibility of predicting the generated values. If you manage to predict tokens you will be able to generate valid recovery tokens for any accounts.
If an application does not set rate limits on resending OTP and resending OTP resets the set rate limits on attempts to enter OTP, an application is vulnerable to OTP bruteforce.
References:
If an application allows using of old OTPs that have been used or re-generated, any leakage of OTPs (for example, to logs or third-party services) will compromise the functionality that relies on OTPs.
An application can implement the authentication flow as the following one:
An application calls /SessionCreate
endpoint with a mobile phone number of a user
A backend creates a session for a user and returns a session token, but no operations with this session are possible until the verification is complete
An SMS message is sent to a user with a verification code
An application calls /SessionVerify
endpoint with both the session token and the verification code received by SMS
Once this request is successfully completed, the session token becomes valid and the user is now logged in
If subsequent calls to /SessionCreate
return the same session token as the first one until a call to /SessionVerify
, you can use /SessionCreate
endpoint to fecth a session token, that will valid after victim's authentication.
References:
If during the OTP check an application additionally uses some parameters, try to use a value from a request for a different account. This parameter can be a cookie, header, or request parameter. If you use the parameter value for a victim in the OTP check request for an attacker, you can get into a victim account or bypass two-factor authentication.
Additionally, try to re-use the valid OTP value for an attacker as the OTP value for a victim. If an application does not verify that the OTP belongs to an attacker, you will be able to get into a victrim account or bypass two-factor authentication.
An application can use short (less 5 digits) and/or long-lived OTPs. Such implementation leaves many ways to bruteforce, especially if there are no rate limits, or they are weak or can be bypassed.
Applications that implement third party sign-in or sign-up often identify users based on the attached email address that the third party application sends. In such cases, you can try sign-in or sign-up with two different third-party applications that are linked to the same email address. Sometimes these two accounts can be joined and you will have access to the victim's account by sign-in or sign-up with your third-party application account.
For example, suppose a victim sign-in or sign-up to vulnerable-website.com
with third-party-app1.com
, which is linked to victim@website.com
. To exploit this, try the following chain:
Create an account at third-party-app2.com
and enter the victim@website.com
email address (ideal if email confirmation is not required)
Try sign-in or sign-up at vulnerable-website.com
through third-party-app2.com
If the application is vulnerable, you will have access to the victim's account
References:
If an application does not set rate limits on login attempts, try to craft a dictionary and bruteforce a password.
One of the implementations of rate limits uses a username or email as an identifier to count attempts. Try to bypass the protection by using extra spaces or upper/lower case:
You can use the following links:
WordList Compendium - personal compilation of wordlists & dictionaries for everything; users, passwords, directories, files, vulnerabilities, fuzzing, injections, wordlists of tools, etc.
SecLists - a collection of multiple types of lists used during security assessments.
PWDB - New generation of Password Mass-Analysis - a collection of all the data extracted from 1 billion credential leaks from the Internet.
bopscrk - tool to generate smart and powerful wordlists.
BruteLoops - protocol agnostic online password guessing API.
References:
Credential stuffing is a search for leaked usernames and passwords for use in popular online services, as most users are "comfortable" using the same password everywhere.
You can use the following lists:
Resources:
Try to login with default credentials into admin panels, third-party services, middleware, and etc.
You can use the following lists:
Most applications store hashes of user passwords and do not store passwords in clear text. Accordingly, an application hashes passed password and checks the hash against the one stored in a database when authenticating a user. Moreover, functions with sliding computational cost are often used as a hashing function, the computational complexity of which is much higher than common hash functions such as sha256
. Therefore, if an application does not implement restrictions on the length of passwords, this can be used for DoS: hashing very long passwords can be resource intensive.