UNIT - 2

OUTLINE

 Web Authentication Mechanism

 Interception proxies – ZAP, Burpsuit, Metasploit for Web
 Authentication and authorization bypass
 Introduction to BeEF framework

2
WEB AUTHENTICATION MECHANISM

 Authentication vs Authorization: Authentication is the process of verifying the

credentials of a user or device attempting to access a restricted system.
Authorization, meanwhile, is the process of verifying whether the user or device is
allowed to perform certain tasks on the given system.
 Put simply:

Authentication: Who are you?

Authorization: What can you do?
 Authentication comes before authorization.
 The most common way of authenticating a user is via username and
password. Once authenticated, different roles such as admin, moderator, etc.
are assigned to them which grants them special privileges to the system.

3
WEB AUTHENTICATION METHODS

 HTTP Basic Authentication: This method involves the client sending a

username and password with every request, typically in the Authorization header.
The credentials are concatenated and base64-encoded. However, this method
does not encrypt the credentials, making it less secure unless used over HTTPS.

 Usernames and passwords are not encrypted. Instead, the

username and password are concatenated together using a :
symbol to form a single string: username:password. This string is
then encoded using base64.
4
HTTP BASIC AUTHENTICATION
 Combination of manual and automated tests to identify vulnerabilities, security
flaws and/or threats in a web application.

5
HTTP BASIC AUTHENTICATION - FLOW

6
HTTP BASIC AUTHENTICATION - FLOW

 Unauthenticated client requests a restricted resource.

 HTTP 401 Unauthorized is returned with a header WWW-Authenticate
that has a value of Basic.
 The WWW-Authenticate: Basic header causes the browser to display
the username and password prompt.
 After entering your credentials, they are sent in the header with each
request: Authorization: Basic dcdvcmQ=

7
 SESSION-BASED AUTH
 With session-based auth (or session cookie auth or cookie-based
auth), the user's state is stored on the server.
 It does not require the user to provide a username or a password
with each request.
 Instead, after logging in, the server validates the credentials. If valid,
it generates a session, stores it in a session store, and then sends
the session ID back to the browser.
 The browser stores the session ID as a cookie, which gets sent
anytime a request is made to the server.
 Session-based auth is stateful. Each time a client requests the
8
server, the server must locate the session in memory in order to tie
the session ID back to the associated user.
SESSION-BASED AUTH

9
TOKEN-BASED AUTHENTICATION
 This method uses tokens to authenticate users instead of cookies. The
user authenticates using valid credentials and the server returns a
signed token. This token can be used for subsequent requests.
 The most commonly used token is a JSON Web Token (JWT). A JWT
consists of three parts:
 Header (includes the token type and the hashing algorithm used)
 Payload (includes the claims, which are statements about the subject)
 Signature (used to verify that the message wasn't changed along the way)

 All three are base64 encoded and concatenated using a . and hashed.
Since they are encoded, anyone can decode and read the message. But
only authentic users can produce valid signed tokens. The token is 10

authenticated using the Signature, which is signed with a private key.

TOKEN-BASED AUTHENTICATION

11
ONE TIME PASSWORDS

 One time passwords (OTPs) are commonly used as confirmation for

authentication.
 OTPs are randomly generated codes that can be used to verify if the
user is who they claim to be.
 Its often used after user credentials are verified for apps that
leverage two-factor authentication.
 To use OTP, a trusted system must be present. This trusted system
could be a verified email or mobile number.
 While there are a few different types of OTPs, Time-based OTPs
12
(TOTPs) is arguably the most common type.
ONE TIME PASSWORDS - FLOW

 The traditional way of implementing OTPs:

 Client sends username and password
 After credential verification, the server generates a random code,
stores it on the server-side, and sends the code to the trusted
system
 The user gets the code on the trusted system and enters it back on
the web app
 The server verifies the code against the one stored and grants
access accordingly 13
OAUTH AND OPENID

 OAuth/OAuth2 and OpenID are popular forms of authorization and

authentication, respectively.
 They are used to implement social login, which is a form of single
sign-on (SSO) using existing information from a social networking
service such as Facebook, Twitter, or Google, to sign in to a third-
party website instead of creating a new login account specifically for
that website.
 This type of authentication and authorization can be used when you
need to have highly-secure authentication.
14
OAUTH AND OPENID - FLOW
 You visit a website that requires you to log in. You navigate to the login
page and see a button called "Sign in with Google". You click the button
and it takes you to the Google login page. Once authenticated, you're then
redirected back to the website that logs you in automatically. This is an
example of using OpenID for authentication. It lets you authenticate using
an existing account (via an OpenID provider) without the need to create a
new account.
 The most famous OpenID providers are Google, Facebook, Twitter, and
GitHub.
 After logging in, you navigate to the download service within the website
that lets you download large files directly to Google Drive. How does the
website get access to your Google Drive? This is where OAuth comes into15
play. You can grant permissions to access resources on another website. In
this case, write access to Google Drive.
OTHER

 SAML (Security Assertion Markup Language): A protocol for

exchanging authentication and authorization data between parties.
SAML is often used in enterprise environments for Single Sign-On
(SSO) solutions.
 Two-Factor Authentication (2FA): This method adds an extra
layer of security by requiring two forms of verification. Common
second factors include SMS codes, email codes, biometric data, or
hardware tokens.
16
INTERCEPTION PROXIES

 An interception proxy is a tool used to intercept and manipulate network

traffic between a client and a server.
 It is commonly used by security professionals to understand how an
application communicates with a server and to find security
vulnerabilities by modifying traffic.
 They can intercept HTTP requests and responses, allowing for the study
of how a website behaves under different interactions.
 Tools like Burp Suite and HTTP Toolkit provide features to intercept,
modify, and forward HTTP requests and responses.
 SSL/TLS interception proxies can inspect encrypted traffic by terminating
the client’s request and making a second request to the server,
17

effectively acting as a man-in-the-middle.

ZAP

 Zed Attack Proxy (ZAP) is a widely used web

application scanner that functions as an interception
proxy.
 It allows you to intercept and modify HTTP and HTTPS
traffic between your browser and the web application you
are testing.

18
AUTHENTICATION BYPASS

 An authentication bypass vulnerability is a weak point in the user

authentication process.
 In computer security, authentication is the process of attempting to verify
the digital identity of the sender of a communication. A common
example of such a process is the log on process.
 Authentication mechanisms or subsystems typically rely on passwords,
digest authentication, security certificates, and so forth.
 However, errors in the development, design, or deployment of an
application may leave cracks in the authentication mechanism.
 It is through these overlooked cracks that cybercriminals execute
authentication bypass attacks. 19
AUTHENTICATION BYPASS

 After circumventing authentication, these types of attackers may:

 Escalate privileges, move on to additional pages, or create an
admin session in the HTTP request.
 Download harmful firmware and change system settings.
 View, copy, delete, alter, or overwrite important data.
 Compromise a system admin account, gaining full control of the
application and access to the infrastructure.

20
AUTHENTICATION BYPASS

 How exactly do attackers exploit authentication bypass vulnerabilities? Common

methods include:
 Circumventing the login page by instead calling an internal page directly (forced
browsing).

21
DIRECT PAGE REQUEST

 If a user directly requests a different page via forced

browsing, that page may not check the credentials of the
user before granting access.
 Attempt to directly access a protected page through the
address bar in your browser to test using this method.
 If a web application implements access control only on the
log in page, the authentication schema could be bypassed.
22
PARAMETER MODIFICATION

 Another problem related to authentication design is when the application

verifies a successful log in on the basis of a fixed value parameters.
 A user could modify these parameters to gain access to the protected
areas without providing valid credentials.
 In the example below, the “authenticated” parameter is changed to a
value of “yes”, which allows the user to gain access.
 In this example, the parameter is in the URL, but a proxy could also be
used to modify the parameter, especially when the parameters are sent
as form elements in a POST request or when the parameters are stored
in a cookie.
23
PARAMETER MODIFICATION

24
SESSION ID PREDICTION

 Many web applications manage authentication by using

session identifiers (session IDs).
 Therefore, if session ID generation is predictable, a malicious
user could be able to find a valid session ID and gain
unauthorized access to the application, impersonating a
previously authenticated user.
 In the following figure, values inside cookies increase linearly,
so it could be easy for an attacker to guess a valid session ID.
25
SESSION ID PREDICTION

26
UNUSUAL TECHNIQUES

 https://www.synack.com/blog/exploits-explained-5-unusual-authentication-bypass-techniqu
es/

27
BEEF FRAMEWORK

 The Browser Exploitation Framework (BeEF) is a security tool used

for penetration testing, focusing on the web browser.
 It allows testers to assess the security posture of a target environment by
using client-side attack vectors, looking past the hardened network
perimeter and client system to examine exploitability within the context
of the web browser.
 BeEF hooks one or more web browsers and uses them as beachheads for
launching directed command modules and further attacks against the
system from within the browser context.
 It is available for installation in various pen testing Linux distributions,
such as Kali and BlackArch. 28
BEEF FRAMEWORK

 BeEF can be used for various purposes, including

validating zero-trust efforts, phishing simulations, and
validating browser configuration and hardening standards.
 It can also be used to simulate actions that could be
performed by attackers, such as redirecting a browser tab
to a nefarious site to capture user login credentials.

29