Attacking Authentication in Web Applications - Jake Miller

are doing that a little bit about myself I'm a penetration tester I primarily test Web Apps I've been doing that for about the last four years I also teach the web app in testing course per se into the mentor level I blog I tweet I write a lot of code so you know feel free to connect with me and you know meet up all right so as I mentioned attacking authentication web apps so that's it's a really you know wide topic so I'm gonna touch on all of these things and occasionally on some defense but mostly it's gonna be an offensive talk but I will throw in some nuggets you know so if you're a developer or

maybe like just you own the system or something like that give you an idea of certain risks where these things are at the reason I like always tacking attacking authentication is because it's you know liquidus and all and everything you know every modern app has some sort of piece and it's usually user name password type thing where you enter it and then you know you have some sort of privileges historically users are bad at choosing passwords not everybody but you know really you just need one user out of the several thousand they might live on the system to gain access to it scanners so a lot of people you know they are scan and forget type things

they scan it they say it's secure scanners really do a bad job of testing anything authentication there might be good at cross-site scripting and sequel injection these sort of those other flaws but authentication they're bad because most web apps are made differently so it doesn't do a good job audits don't accurately measure risk basically if you've ever done like an audit or a pen test of something that's in a non production environment user accounts aren't real so just a bunch of dummy accounts on there so rarely does an auditor or even tester go into like doing passwords attacks against anything so the methodology I'm gonna use at least for this talk is just some basic

recon scanning then enumerated users testing the account lockout and trying to bypass it different password attacks and then I'll explore some other authentication authorization flaws that are really unique among the web apps so for recon and it's a big big topic I'm only going to touch on subdomain enumeration and port scanning that is very web specific and the only reason I'm even doing this is because ideally if you were if you were had authorization to test you know example you know you have this big scope you're gonna want to find as many subdomains as possible of example.com or you're gonna want to find as many places that you can attack the certain login authentication doesn't always live on 80 and 443 as far

as the ports go so you wanna be able to check lots of different places so there's several ways to enumerate subdomains the the easiest one is being as own transfer which you know your DNS zone record or the zone file it just has a list of Records where the IP addresses correspond to the hostname so if you can get ahold of that that zone file you can basically have all of their subdomains otherwise to do it is just a search engine reconnaissance so you know google dorks basically you do site colon example.com and then all of the search results that for example.com will show up like mail example.com and and so on and then there's various tools that do

this sort of stuff for you so you know for an example of a zone transfer you would just go to who has done that and you look up your target and then you'd see the name servers in the bottom and that's re going to try to transfer that zone record from so you know this this particular one had it set up correctly where I'm using nslookup here to try to transfer to try to do a zone transfer to my own computer and zone transfers are typically only allowed between two DNS servers which makes sense you don't want anybody to get the zone file so this one's configured correctly a canonical example for one that is not configured

correctly lets me do a zone transfer so you can see you know the commands for nslookup and then you it goes through and it shows the different subdomains for this particular contrive server I mentioned that there's other places too or other ways to find subdomains different different internet sites like CR T SH and DNS dumpster they do internet research and so they're constantly scanning an internet and finding out subdomains and recording things and they offer basically free resources for anybody to look up a domain and see a whole bunch of subdomains virustotal has it just because you know you're looking up threats from a particular domain you want to see the subdomains that it's there there's Google doors like I said

the site directives for it and then you can also do brute forcing subdomains which is essentially taking a word list and running it against you know your target and whatever resolves obviously that means you know that particular subdomain there's tools that do all of this stuff for you probably the most complete would be DNS recon it does I think all of those things that's in the list including attempting zone transfers it's in Metasploit sub listeners also popular you know I wrote one those find subdomains which this is sort of the output for it and you can see that at the top part it it's basically querying those resources you know CRT down a search in DNS

dumpster putting a list of subdomains together that you can go ahead and try to do so lots of resources for finding subdomains but the whole goal is to just get a you know a wide breadth of login locations as you can try to test the authentication so once you do have a wide you know range of subdomains that you can go ahead and test you're gonna want to look for open ports that indicate just web services sure you want to scan them for all of the other things you know your FTP and telnet and all of those type things but you know what I'm focusing on is purely the web ports and if you ever use something like nmap the

default scan is just a thousand of the most common ports and the thousand most common ports that doesn't actually cover all of the web ports so you're either gonna want to kind of get a custom list of course you want your scanner to scan that is dealing with web stuff or you know I wrote a couple tools to do that for you that will just scan whatever you tell it to whatever URL you go to it'll scan it so that's the site kick and get website info ones Python ones PowerShell it basically just helps prioritize the the sites because it goes out to all these different URLs it'll record the title the website as well as the server

type and the reason the reason this ends up being important is because if you have a really really wide scope and you scan a whole network you'll get a lot of garbage from web ports you'll get like a thousand printers or something like that and so you want to have the title of the printer so you can just immediately eliminate it from your list and not have to waste your time by browsing to it so to generate a list of URLs for web ports there's there's another tool that I wrote it just simply takes a domain name and obtains a ton of different web ports that I sort of come up with either through you know reading up on things or

you know in math has a specific ones that it identifies as HTTP or HTTPS and this is the output of one of the tools just you know give you an idea gives you the title of the side and the URL and the server and the reader URL so anything like that that can keep you organized and eliminate the stuff that's unnecessary well at the same time you know if it gives you a title to some popular you know some popular open-source content management system is something like that you can kind of take the steps to do further enumeration on it you know if I you identified as being old or an old version of something you

might there might be a public exploit or something available and that's that's why we do this you know it's if you find some commercial product a lot of times if it's on a non-standard port it might have been set up for some development purposes or some test things so you want to try default passwords and if you get in there you know that's great maybe they'll be data on it maybe not maybe there's something that you can that you can use to go further as I said it might be vulnerable to known exploits where you can sort of do the easy job and look at Metasploit you say yep it's vulnerable to something and just in the

end it provides more targets which provides more opportunities to do all the things that we're going to learn about now so also an abraded users this shouldn't be so crazy at first you guys this should all be basic common sense type stuff but if you own an application or if you're a developer there's hidden risks that go along with all of these all of these features of an application that makes it more user friendly or you know increases the user experience so first thing you look for in visual changes and the whole goal for user enumeration is to gather a list of users where I do not know things so you know Microsoft I taken an invalid user so I'm

not a real account and Microsoft will tell me that the account doesn't exist right so that that makes sense and with a real account it'll prompt you for a password so Wow now I know what user name that's great so in theory if you have an application that just tells you like this you can just get a really large list of user names and bust through it and record the ones that that give you a password prompt so then there's applications that you know in fact a lot of applications these days are designed not to tell you the user name or the password it's which one so you know it's letting me know that the

user name or password did not match all right and even for an invalid user so this is valid user this is an invalid user it's same same error message if you were to measure the length of the HTTP response it'd be the same length too but under under the hood so this is once again a valid user under the hood this is what it end up looking like so there was a little XML part where it showed me a login status and for this one it was - - but for the other one for the not a real user it had a - one login status so all things were equal as far as the

error message is displayed but this is this sort of thing let me know that a user was valid or not valid and you know for tools and stuff like that you know burp sweet and zap both have a comparison feature where you can take the HTTP responses and see what's different so in this case you know I mentioned that the response links for the same and so just looking at the response length alone would not tell you any differences alright so this is a tiny base thing so on the writes just a little timer on the left is me trying to log in with not a real account it actually took 10 seconds to respond this

is I mean this this side of it took a particularly long time it's more common where you see that it's just maybe a second versus a half second and so what you would typically do to account for latency is just kind of bust through a bunch of accounts really quick and the ones who are consistently returning at a different time that's the ones that that either you know are valid or invalid whatever you think and this you know in this particular one it only took one second for for a valid user name to get checked all right so then there's the sort of features you know even even this this part is secure right like it says

username and password do not match so it doesn't tell me which ones which this is for an invalid account but a valid account it would give me the same error message it would just tell me user name and faster do not match so it's designed to be secure or not give up in users unfortunately the forgot password link doesn't do that so not real account it tells you you can't find a user you get a real account it gives you you know the prompt for the password reset so they built the front-end to be secure not give up any information probably because they had some sort of audit finding for it eventually but then you have this

this feature that's just there and you know it's a feature I mean I think I don't think you can design a password or you know security questions things to do anything else otherwise like it's going to have to tell you the users there so this is one of those usability features that like listen it's it's it's the risk right there and I mentioned there's different ways to generate usernames if you know what you're gonna do so there's like tools on github there's tools in birth you can just code something yourself where you do you know first name dot last name from from your outlook or something like that there's one that like take the census data so

you can figure out the most common names the one of the most most effective for me though it was either metadata or just calling the helpdesk and asking so for for metadata you just look for a file like you know you do your google search operator and you do you know file type PDF for example.com and so when you pull down the PDF or the word documents probably better you can pull metadata from it and I'll tell you like the username that created that that file and so that sort of gives you an idea of what the naming convention might be so you can plan your attack yeah but calling the helpdesk is ask and

asking has been the best all right so the the the defense is just that a generic error messages you seem you know letting you know your user account for password is incorrect and for a forgot password message I mean if you're doing security questions I think you're kind of stuck the way it is but if you're not it's one of those send an email regardless or show you that an email might have been sent if you were a valid user just something that doesn't give things away all right so other built-in enumeration features you know menus api's and just generic commands that might be wrong for for menus you know if you have access to

an application a lot of times once you have access there's a whole they just give away the rest of users you know all of the usernames and even their roles too so like this is this is HipChat it's sort of like a slack you know if you're there you can you can tell whoever's on it and that's usually because they're using some sort of API so you know we're neighbor you press buns it it makes a web request and and and gets a bunch of users and filters and aquarium and so if you see any sort of API if you want to go ahead and test them a lot of a pee eyes don't require authentication if

there's just something like enumerated users so that's sort of one thing that you look for so yeah the rule of thumb is basically you know you want to know your own application and if you have if you have one of these application just know that it gives up all your users and things like that it's not necessarily the biggest deal in the world but it's a risk to know about and you know testing your logins so you've seen some of the use cases with invalid user names and valid passwords and so on and so forth you know if you own one of these things your developer just just check them to see see what they give up all right so

then what the numerating users on to testing account walk out so if you have a bunch of usernames at this point we want to try to start guessing passwords but first determining the lockout policy is kind of big most applications have an account lockout policy and you know if you're a tester or something like that you don't want to lock out a bunch of normal accounts so it's one of those things that she needs to know but once you do figure out the lockout policy we can begin testing a little bit further so once again the easiest way that that I think to figure out the account lockout policy is called the help desk if there's a help desk number and just

ask them how many how many times because they're they're there to help and they'll probably just tell you but otherwise you can research the framework if you have some sort of well-known framework you can sort of look it up hope there's a default setting and I hope that's the right one you do have some applications that'll tell you like as soon as you fail a login once it'll say you have five attempts remaining before we lock your account and then sort of the last cases you just keep trying until it either gives you some indication that you're locked out or not so to start by passing stuff when you log into things one of the first things

I do is I look for client side counters so the way you can imagine lockout works as far as code is concerned is you know when this user name fails a login increment the failed login counter and when the failed login counter is greater than 3 lock out the user or something like that so that's supposed to be done on the server side clients shouldn't be able to affect that at all but in some cases they will put a counter on the client side and so you know this is my first attempt of logging in if you guys aren't familiar with HTTP this is just a post request so this is what your browser is doing in the hood we're under

the hood when you're trying to log into something so you know post sort of means the the body of the request where all of my credentials are going to do is going to be in the body where other people won't be able to see it but that's what this is so I failed the login and then when I try to log in again my counter was incremented to so it kind of gave me an idea that maybe this C equals two was actually a counter so to bypass it I just set the seed to equal one the entire time and I was able to continually try to guess passwords against these users so the other thing

you know I mentioned that it that counter is typically associated with the username and its associated served side of the database other times they will actually give you a cookie first when you first go to the site they'll give you a cookie and then they'll associate the counter with that particular cookie idea you know the idea is once you get a new if you do login successfully they give you a new cookie so it doesn't matter but in this case you know try sometimes trying to just delete your cookies well let you bypass the account lockout altogether the other thing that you can do is try using basic authentication so if you don't know what

basically connotation is you'll see it a lot if you go to a website when you get the initial pop up four it says authorization required and you know you put in your username password underneath the hood you're actually well I'm sorry this is so this is a regular authentication and this is basic authentication but the important part is the response here so when I tried that log it normally I get this 302 which is the redirecting me back to login sort of an indication that I failed to log in on this one but if I'm using basic authentication I get an unauthorized and the reason it's doing that it's actually interpreting these credentials so like I

was mentioning with basic authentication all it is is it's your username and your password of coland eliminated or delimited with that's page 64 encoded and it goes with every request your browser stores this is the authorization header and it goes on every subsequent request to whatever domain so when I got this 401 here as opposed to on the previous slide where was a 302 what I know then is that my credentials are being interpreted so that it's processing them in some way and when something like this happens it's sort of like an unexpected authentication like they don't expect you to be using basic authentication but they do allow for it so in this way several times they've

been able to bypass the account lockout because they don't have any counter setup for basic off all right and sort of a kind of a cool bug is so this is this is the there's a commercial Identity Management product and you know it's set up in such a way that even when you lock yourself out you get usually the password do not match so it stays true the entire time of not letting you know the username it doesn't let you know you're locked out at all I could guess a thousand passwords and as long as I'm failing those attempts it's just gonna give me the same message but the bug was once you get the password

right if you're locked out it gives you this so it gives you an error letting you know that you're locked out which I mean I'm sure if somebody had to find that before but they're like okay well you're locked out you're good you know but you know when you think about it is if it's giving you a completely different air when you got the wrong password the entire time and then when you get this it's correct that means you know the password now and since this was an identity management site it was a single sign-on site so like this is where they set the passwords and then all of you know this was the single

sign-on password so once I knew their password here I knew their password everywhere and on top of that I could just call the help desk and I said hey I I'm this person and I locked you know I locked my account you don't have to reset my password I know my password just unlock my account and that worked so there's that or you know if it would have automatically unlocked this one wouldn't have but you can just wait for it to unlock itself so if you find that bug it's pretty cool all right so then other places that evaluate credentials so basically these are places that usually usually you have to have access to the applications so this is kind of a

place to brute-force somebody else's password and bypassing that lockout and the way you end up doing that is you look for places where you're using the password again and the most common ones I kind of mentioned account creation when you've set a password for the first time a lot of times it checks whether or not a password already exists for some reason password resets they always check whether you're you know when you're resetting your password need to put in your old password and that's that's the case on this one so in this application that had an update password spot I could go to and as soon as I entered the old password and I click down on the box it

you know it triggered some JavaScript and made an ajax request so it's making a an HTTP request in the background with my old password to verify whether or not the old password is correct so it's doing this in the request it was really poorly designed app so the request was actually a get request so this is it's bad to have any sort of credentials in a gate request but this was the URL that I could go to to see what was going on behind the scenes and so it was verify password and the queue was the my old password which you know in this case has his bad pass and and it has my user ID next to it and so if I

put in a bad password there you know an incorrect password it returns back password enter does not match current password and that's the error message that would show up on the other screen you know if I were doing this correctly so a blank response though indicate success you know like I got the correct password so anybody could go to this page though and just cycle through user IDs and guest passwords and this one didn't have in a lockout associated with it so while the website you know three invalid Lockette logins would lock you out for this check password spot did not alright so that covers the testing account lockout so now on to the password attacks alright so for

different types I'm going to talk about a lot of these may not be new to you but some of them so for a continuous guessing attack you know I'll let people call it brute force you know an actual brute force but take a really long time that's something you can do when you're cracking hashes but not guessing passwords over HTTP because it takes a long time so it's typically just the dictionary attack you have a hybrid you have a dictionary that has numbers and letters and whatever the password policy the organization is you throw on things the downside of this is if you haven't bypassed account lockout you're gonna lock something out if you try a

dictionary worth of you know passwords against somebody so a lot of people use what's called password spring which is where they take a large list of users and they try a very small amount of passwords typically under the threshold of whatever the account lockout policy is and this ends up being really effective and because you're you're not really worried about testing testing the super difficult passwords you're testing easy stuff like you know a month year August 2017 exclamation point where it meets everything but it still meets the you know the although the password requirements and then you know keyboard walks for the people who think that are clever those are great to you know just kind of

up and down the keyboard whatever meets the requirement but still there those end like the keyboard Kwan's are really great because it ends up being like important people like system administrators or or security personnel or something like that because they just get jaded and bored and they they walk up and down the keyboard so those are those are my favorite but you know the data I have on this is you know around every two thousand accounts guest or user names guest I end up getting some getting it I get an access to something all right so the defenses to this obviously is you know MFA that's sort of like the whole talk that defends his MFA if you use MFA most of the stuff

you won't have a problem with a CAPTCHA some regulated rate limiting all of the requests nobody's going to want to go through guest passwords by hand and the educating users all right so logging them so I mentioned logging and this is the important part so for logging I've worked with a couple socks on guessing passwords as I say hey alright I'm guessing passwords can you see me and they say no I say ok well don't you notice a big spike in in request to for authentication they're like yeah but what they were doing like almost every time is you know this is a normal architecture I'd say people connect over the Internet and then it gets load

balance into your applications the problem is you know they were querying these web server logs but all of the requests it looks like it's coming from the load balancer so if you don't have a pass through on your load balancer that's taking the actual client IP addresses it's not going to do you any good because otherwise you'll you know do something stupid and like blacklist your load balancer and then you won't have any traffic all so always just make sure that you're actually getting the true source of your client IPs otherwise you won't be able to stop anybody and yes there's always the defense that they can just move to another IP address and that's true but it slow him down a

little bit alright so this one you may not have heard of I call it indirect password guessing it's what happens when you get an error message like this you know we've seen all the previous ones where it says you know incorrect username or password or incorrect usually or whatever but this one just says actually I'm sorry this one is invalid this is what it says normally but this is the weird one okay that's that's the weird one all right you do not have the necessary permissions so all the other use cases same sort of error and then all of a sudden I get this weird error it doesn't want me into the application but it says I do not have the necessary

permissions so trying to figure out what that means all right so then you gotta kind of think about how a web application architect I know this is kind of for but you might have a web app that is drawing from some sort of LDAP database maybe as a primary or secondary but it does have some sort of LDAP that it might be tied to and this usually isn't the organization's like real LDAP this is like a replication of their LDAP and the whole idea is like you don't want anybody to be able to just like hit your Outlook Web App portal and and lock out everybody's accounts right so it's just replicated user names and roles and

stuff like that not not the actual one but the fact still remains that you have like everybody's credentials are with an LDAP and you got to think like alright maybe there's let's let's say this web app is github and there's a github group on your LDAP and only people who can access github they have to be a part of the group so indirect password guessing happens when let's say I don't have access to github but you correctly guess my username and password on that github site it still looks me up and LDAP it still says yep those are valid credentials but then it looks at my role I don't have github so it gives me this

you do not have the necessary permissions so if I'm trying to attack github this isn't very useful because I I can't access it but what it is useful is now I have these network credentials and if you can find lots of sites like this that are associated with the network like the same reason you do all the sub domain enumeration is if you can find error messages like these you can attack some arbitrary site and apparently look like you're not getting in and then using once you figure out the credentials you just go to the site which sites you want so you're indirectly doing it so there's a long technical explanation of what I just said or kind of thrown out there

but you know this does happen so github was it was a good example because it was you know it was a flaw for them so for you know not a real username and password I get invalid all that credentials even when I use a valid a username an invalid password I still get invalid LDAP login credentials but when I do find a match and they just don't have access to the github group you know I get this weird random message so that kind of gave me an idea that you know that that was there and that I was able to use these credentials at other places so this is the same thing but what timing

video but I'll probably just it's a long video that github fix this and they got rid of the air but it still actually took there was still a 10-second delay so it was just timing based enumeration but it's it's really just that it's me logging in it and it takes ten seconds so so defenses against this it's just really going through all of your your web forms and seeing how they respond to the different types of input invalid username valid password so on and so forth and for this one even those who are not in the same group all right then the last password attack is MF 1/2 guessing so if your application does have MFA

make sure you have it everywhere because the idea is some applications only prompt you for the second factor once you get the first factor correct so like for for Microsoft you know if you get the if you get the password wrong it tells you the passwords wrong if you get the password right it says a proof sign-in request so you know that it prompts you for the second faster so at this point I know the person's password because it's Romney for the second factor and if you don't use MFA everywhere then I can just go to wherever you use that initial password and try it so always prompt for a second factor all right so now these are the cooler one

off ones so these are complete authentication or authorization bypasses so I'll give you three different stories where it happens there's no great framework for finding these type of things because all web apps are different so I got three examples I got one that you know authentication authorization bypass via host header manipulation I got one that's a portal protected app and all kind of a going to what a portal app is and then I have a glued application which is taking an open source project and merging it with some cots product for for whatever reason alright so the first one this is sort of the summary of how things went down I don't have access to the web

application I did my my Google dorking I did my search enumeration I found a few different login paths I found the slash login and I also found a slash welcome for this for this example site when I went to the login page I could see that the host header was echoed within the application and then changing the host header basically it gave me full access to to the app so here's the way way down so I went to the site I went to the login screen you can see the arrow where it says the host name was here for those host header is when you make an HTTP request when the browser does it it's

just a required header and it's typically the domain name of the system so if I go out to login at example.com my my get request would go to slash login and my host would be example.com so that's that's the case here so the host name was there and it's it's kind of strange to just have it randomly show up there so this is just sort of you know I mentioned that earlier that I found another path so I found login and I found welcomed so sometimes in applications if you're really lucky and you can just skip the login page and go straight to the Welcome page and it'll just work this wasn't one of those cases

you know so I made the request out there and it gives me a 302 response so it redirects me back to login so no work there so I decided I would change the host header so I changed the host header and this is there's a screenshot of purp so I'm doing you know requests modifications so each time I make a request it's gonna add the host host one 27001 it did get echoes like it like it was supposed to and you know if when I tried making this request though it still sent me back to the login page so that didn't work so next I tried localhost and when I went to welcome this time the response to notice was a

200 so it actually let me go to that page instead of redirect me back to loggin and when I went there I know there's a lot of red but you know it gives me this administrative link section and it makes me the web administrator so if you go to the top you see it says local machines so this was some sort of lazy developer shortcut that if you're on the local machine then you must be the developer and therefore you know you can have full access to the app alright so obviously the takeaways is don't do that but you know if you're a tester testing the host header see how it responds to different input just a

good thing to do alright so the portal application so poor laughs is like you know when you start with a new company they give you access to to some web portal where your credentials work but within there you don't have access to anything you might have access to like your timesheet or something like that but you don't have access to like accounting your HR whatever other systems might be in there so it's just like you have access to the app but you you're not a part of any groups and so that's what that's what this case was so in the I was able to actually directly brow - the portal application that I wanted to go to because you know I did some

search engine enumeration I found there with other links in there that I didn't have access to but I could browse directly to them but when I went there just told me everything was unauthorized so whenever you go to a page JavaScript typically loads and sometimes JavaScript gives away different URL paths that exist so I read the JavaScript and I know gated to you know a few different pages couldn't do anything I read more JavaScript and eventually I had access yeah so here's how it went down so once again this is like the IBM portal I don't know if it has a special name but I'm within the IBM portal if I had access applications I'd have all these

little buttons that would show up like I said I could directly browse to a particular application that I found via search engines so I went to this application slash login and it tells me I'm unable to do anything because I don't have a contractor ID so bummer I read some JavaScript and I went ahead and went to a different page so I went from slash login to slash welcome and it poof it logged me in so you know now it says welcome me it says a bunch of other stuff but yeah it led me in so that's really cool but unfortunately I clicked on a few links there was like some search links and browse links within

this page and I couldn't do anything still so each button I clicked it just gave me back to that same ugly error message so I read more JavaScript and I eventually came to this page and this page let me do things so it was actually letting me look up individuals and first and last names and got a whole bunch of PII out of it so you know from having four like this was a self register portal so anybody on the internet could register for this particular portal didn't have any access but you could eventually get there so big exposure alright so don't rely on the portal itself for authentication especially if you open it for everybody know that

there's a possibility that somebody can directly browse the things and then things could be implemented incorrectly like in the case of this app they they one relied on the portal so like I had authenticated the portal so that meant I could just go to this other application and it just read that cookie and kind of logged me in and that it didn't make sure it protected all of its urls requiring the login all right so this last one I call it a glute application because it had an open source you know it was an open source content management system and this company they had to put on a semantic authentication piece because you know like auditors require you to have all of

those password requirements lockout requirements all that stuff and this open source content management system didn't have that so they stuck this semantic thing on the front end and you know I didn't know that at first but there was a cookie that came with this that kind of gave me an idea that it was using an open source framework and if you see something like that you want to download the framework and take note of all the things that you can do so I took note of the login location and I try to just manually browse that login location thinking maybe maybe the semantic things there but I can just browse to the other part eventually I was able to modify the

request method so I've talked about gets and I've talked about post and I was brought to actually add that login page that I saw and at that point I could just login and any user without the knowledge of the password so here's you know the the HTTP request/response pair I'm going to this this site with the slash is just the root directory and it automatically will redirect me to semantic off dot example.com and it sets this cookie in this cookie let me know that it was an open source framework does the LGG I can actually remember what the framework was but LGG if you look it up you'll you'll find out it's an open source framework so it gave me

this semantic auth screen and this is this has had all the bells and whistles of a secure thing you had to have long passwords and complicated and it locked you out alright so once again when I downloaded that framework I saw that when I logged in locally to my application that I downloaded I go to slash login so I'm like all right let me just try to go there so I went there unfortunately it still sent me back to that you know semantics off page and at this point I kind of thought like how how to developer write this piece like did they say that anytime somebody goes to this resource it's going to redirect

them and I'm said okay well maybe they did it in such a way that anytime that it was a get request you want to get them because you know when you when you're browsing through a site it's always get you don't do a post you don't do anything else so it turns out I can make anything other than get and when I went to the login it didn't redirect me to actually send me where I was supposed to go so it gave me this login screen and at this point you know at first I tried a few a few like random usernames and stuff like that and right cool I can I can bypass account lockout

here because things were working but once I tried a valid a valid username it just let me in so it let me in is the administrative user I just had to as long as I use a new a good username in this case I've locked it out but yeah it just let me in as the administrator and the way the web app was actually set up was once you once it authorized you from that semantic spot it made a call to that login page that I was just on with just the username so it all through it it basically authenticated you in semantic and then it authorized you on that username spot there so it turns out

all that spot needed was a username and once you get in so again administrative access the application is by doing nothing so once again public app and go from zero to zero to admin so take the ways for all this you know or for the glueten application at least as you look for components that are part of the know and framework downloaded and and try to do your best and think how could somebody screw it up alright so that is the talk I've covered all of that stuff from from recon to use your enumeration to everything in between questions

anybody all right thanks [Applause]