Python - Auth Bypass - 1
Running the app on Docker
Now that the app is running let's go hacking!
Reconnaissance
While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the log in page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.
In addition, it is often possible to bypass authentication measures by tampering with requests and tricking the application into thinking that the user is already authenticated. This can be accomplished either by modifying the given URL parameter, by manipulating the form, or by counterfeiting sessions.
Obviously, an attacker can tamper with the URL, the form or the session cookie in order to get logged in as a user without knowing the actual credentials.
The goal of this lab is to get logged in as an administrator without knowing his/her credentials
Lets start the application and register a new user
Now that we have valid credentials, we can login:
Exploitation
We can capture the login in the burpsuite proxy and send it to the repeater. We notice that with every login, the session cookie stays the same. It is high likely that this sessionid is related to our user name:
If we quickly google for this sessionid, we find that the sessionID seems to be corresponding to 'user':
We can check try to identify the hash:
it seems to be a sha1...
Ok, let's lookup the hash of 'admin':
-> D033E22AE348AEB5660FC2140AEC35850C4DA997
Now we can set our sessionID to the sha1 hash of admin:
Click 'proceed' to go to the authenticated section of the application:
Additional sources
Last updated
