Translation from： Mine Team

Membership information.

thr0cyte，Gr33k， spend a lot of money，MrTools，R1ght0us，7089bAt

A larger version of this issue's cover can be found at: http://images4.fanpop.com/image/photos/18200000/Legends-silent-movies-18236311-1680-1050.jpg

The sections marked in red are today's updates.

Chapter 4, Testing Authentication and Session Management

4.0. Introduction

4.1、Username enumeration

4.2. Dictionary attack on landing pages using Burp Suite

4.3. Use Hydra to force a violent attack

4.4, using Metasploit to crack the password of Tomcat

4.5、Manual mining of vulnerabilities in cookies

4.6. Attacking session fixation vulnerabilities

4.7. Evaluating the quality of session identifiers using Burp sorters

4.8, the abuse of unsafe direct object references

4.9. Execution of cross-site request forgery attacks

---

4.0. Introduction

When an application manages information that is not publicly available, a mechanism is needed to verify that users are allowed to see certain data, which is called authentication. The most common method of authentication in today's web applications is to use a combination of a username (or identifier) and a password.

HTTP is a stateless protocol, which means that each of its requests is unique, so applications also need a way to distinguish between requests from different users and allow them to perform a series of requests that may need to be performed by the same user and tasks performed by multiple users connected at the same time. This is called session management. Session identifiers in cookies are the most common method of session management in modern web applications, although Token tokens (containing the value of user identification information sent in the authorization header of each request) are becoming increasingly popular in certain types of applications, such as back-end web services.

In this chapter， We will describe the detectionweb Some of the most common vulnerabilities in application authentication and session management of process， and how attackers can abuse these vulnerabilities to gain access to restricted information of interviews。

---

4.1、Username enumeration

The first step to cracking the user/password authentication mechanism is to discover a valid username. One way to do this is by enumerating ; Enumerating users in a web application is done by analyzing the response when a username is submitted at locations such as the login, registration, and password recovery pages.

In this subsection, we will submit multiple requests to the application using a list of common usernames and compare the responses to determine which submitted names belong to existing users.

Environmental preparation

For this subsection we will be using WebGoat vulnerable hosts in the vm_1 target machine and Burp Suite as our proxy on Kali Linux.

Practical Exercise

almost all of The applications all provide users with the ability to recover or reset their passwords in case they forget them of channel。 When no user name exists， These apps can recognize it too， This can be used to enumerate the names of existing of list:

1. Open WebGoat (http://192.168.56.11/WebGoat/attack) from your Kali Linux browser and use WebGoat as the username and password if the login dialog pops up.

2. Once in WebGoat, go to Authentication Flaws | Forgot Password. If we submit any username and that user does not exist in the database, we will receive a message saying that the username is invalid:

3. However we can assume that the response is different when a valid username is provided. To test this, send the request to the Intruder module. In the history of Burp, it would have been a

http://192.168.56.11/WebGoat/attack?Screen=64&menu=500 ofPOST requesting。

4. Go to the Intruder module and set the username as the only location to hack:

5. Then, go to Payloads to set up the list of user dictionaries we will use in our attack. Leave the default type as Simple List and click the Load button to load the /usr/share/wordlists/metasploit/http_default_users.txt file:

6. Now that we know the response when the user doesn't exist, we can use Burp to tell us when that message appears in the results. Go to Options | Grep - Match removal list.

7. Add a new string to match Not a valid username:

8. Now, start the attack. Note that there are some names (e.g. admin) for which messages with invalid usernames are not marked with Burp Suite, and these names are valid in the application:

Anatomy of a Principle

If we are testing a web application that requires a username and password to perform an action, we need to look for ways for an attacker to discover a valid username and password. A slightly different response to valid and invalid users on the login, registration and password recovery pages leads us to a valid message.

Analyzing the differences in responses to similar requests is a skill we need to master as penetration testers. We can use a proxy tool such as Burp Suite to log the original request, and the Intruder module replay the request multiple times through changes in the value of the variable (username). The Intruder module also allows us to automatically search for the packet return string and indicates in which response we find that string.

Recommended>>
1、Dubai Wants to Become Middle Easts Blockchain Boss as Landlords Aspire to Tech Geeks
2、BYD Cloud Rail driverless born in China
3、Jedi survival only two days after the update by players crazy trolling UU this wave of mockery I am really convinced
4、Sysco was awarded the national hightech enterprise recognition
5、How can teachers use big data to help with essay writing and improve their teaching skills This will tell you

已发送

发送中