WEBVTT 00:00:00.000 --> 00:00:06.470 align:middle line:90% 00:00:06.470 --> 00:00:09.730 align:middle line:84% Welcome back to Broken Authentication session. 00:00:09.730 --> 00:00:12.640 align:middle line:84% In this second part, we will exploit several authentication 00:00:12.640 --> 00:00:15.430 align:middle line:84% flaws in our intentionally vulnerable application 00:00:15.430 --> 00:00:17.950 align:middle line:90% to get access as admin. 00:00:17.950 --> 00:00:21.070 align:middle line:84% We will jump straight to the hands-on exploitation. 00:00:21.070 --> 00:00:24.220 align:middle line:84% At the end, we will wrap up exploited issues, 00:00:24.220 --> 00:00:25.840 align:middle line:84% which we will discuss in more detail 00:00:25.840 --> 00:00:28.720 align:middle line:84% in the third and last part of this session. 00:00:28.720 --> 00:00:31.410 align:middle line:90% Let's hack. 00:00:31.410 --> 00:00:33.690 align:middle line:84% Let's start creating a regular user account. 00:00:33.690 --> 00:00:36.220 align:middle line:90% 00:00:36.220 --> 00:00:39.460 align:middle line:84% Before submitting the request, let's pop up Developer Tool 00:00:39.460 --> 00:00:41.260 align:middle line:84% so that we can monitor the network traffic. 00:00:41.260 --> 00:00:50.160 align:middle line:90% 00:00:50.160 --> 00:00:51.938 align:middle line:84% This would be the sign-up requests, 00:00:51.938 --> 00:00:53.730 align:middle line:84% let's have a look into the request details. 00:00:53.730 --> 00:01:00.960 align:middle line:90% 00:01:00.960 --> 00:01:03.150 align:middle line:84% The request body includes our account details 00:01:03.150 --> 00:01:05.220 align:middle line:84% where we can see our weak passwords. 00:01:05.220 --> 00:01:08.750 align:middle line:90% 00:01:08.750 --> 00:01:09.890 align:middle line:90% We can now log in. 00:01:09.890 --> 00:01:28.700 align:middle line:90% 00:01:28.700 --> 00:01:31.295 align:middle line:84% Next, we will try to recover our one password. 00:01:31.295 --> 00:01:44.390 align:middle line:90% 00:01:44.390 --> 00:01:47.240 align:middle line:84% Again, let's first pop up Developer Tools. 00:01:47.240 --> 00:02:01.170 align:middle line:90% 00:02:01.170 --> 00:02:03.360 align:middle line:84% While we were typing, several requests 00:02:03.360 --> 00:02:06.420 align:middle line:84% were made to the security security-question endpoint. 00:02:06.420 --> 00:02:08.070 align:middle line:84% Let's inspect the last one, which 00:02:08.070 --> 00:02:09.600 align:middle line:90% has our complete email address. 00:02:09.600 --> 00:02:18.120 align:middle line:90% 00:02:18.120 --> 00:02:24.620 align:middle line:84% Our email address was sent in the requests, 00:02:24.620 --> 00:02:27.370 align:middle line:84% and the server returned our security question. 00:02:27.370 --> 00:02:31.220 align:middle line:90% 00:02:31.220 --> 00:02:33.170 align:middle line:84% How does the server response look 00:02:33.170 --> 00:02:34.940 align:middle line:84% for an email address which does not 00:02:34.940 --> 00:02:36.410 align:middle line:90% belong to a Juice Shop account? 00:02:36.410 --> 00:02:51.130 align:middle line:90% 00:02:51.130 --> 00:02:53.470 align:middle line:84% This time, the response is empty. 00:02:53.470 --> 00:02:55.540 align:middle line:84% Based on these binary responses, we 00:02:55.540 --> 00:02:57.400 align:middle line:84% can check whether there's an admin account. 00:02:57.400 --> 00:03:20.200 align:middle line:90% 00:03:20.200 --> 00:03:21.970 align:middle line:84% Comparing this response with the one 00:03:21.970 --> 00:03:24.250 align:middle line:84% we've got with our own email address, 00:03:24.250 --> 00:03:27.580 align:middle line:84% we know that such account exists and we can try to log in. 00:03:27.580 --> 00:03:40.680 align:middle line:90% 00:03:40.680 --> 00:03:42.150 align:middle line:90% We don't know the password. 00:03:42.150 --> 00:03:43.860 align:middle line:84% But at least we can try to guess it. 00:03:43.860 --> 00:03:50.790 align:middle line:90% 00:03:50.790 --> 00:03:54.060 align:middle line:84% Of course, it's wrong, but we can do better. 00:03:54.060 --> 00:03:56.280 align:middle line:84% Let's search for common web admin passwords. 00:03:56.280 --> 00:04:18.220 align:middle line:90% 00:04:18.220 --> 00:04:20.920 align:middle line:84% Let's try the first ones with at least five characters 00:04:20.920 --> 00:04:23.025 align:middle line:84% since we saw that this is the minimum required 00:04:23.025 --> 00:04:23.650 align:middle line:90% in the sign-up. 00:04:23.650 --> 00:04:46.120 align:middle line:90% 00:04:46.120 --> 00:04:48.400 align:middle line:84% Doing this one-by one will take long, 00:04:48.400 --> 00:04:50.680 align:middle line:84% but this is exactly the type of task computers 00:04:50.680 --> 00:04:51.520 align:middle line:90% are great at doing. 00:04:51.520 --> 00:04:54.490 align:middle line:90% 00:04:54.490 --> 00:04:56.770 align:middle line:84% The simple bash script does concurrent requests 00:04:56.770 --> 00:04:59.590 align:middle line:84% to the login endpoint based on a given email address 00:04:59.590 --> 00:05:01.600 align:middle line:90% and the list of passwords. 00:05:01.600 --> 00:05:04.240 align:middle line:84% It will stop on a successful log in attempt 00:05:04.240 --> 00:05:06.130 align:middle line:84% or at the end of the passwords list. 00:05:06.130 --> 00:05:09.370 align:middle line:90% 00:05:09.370 --> 00:05:11.740 align:middle line:84% Let's move the passwords list into a text file 00:05:11.740 --> 00:05:12.580 align:middle line:90% and do some cleanup. 00:05:12.580 --> 00:05:38.330 align:middle line:90% 00:05:38.330 --> 00:05:41.030 align:middle line:84% It's time to run our script with Juice Shop admin's email 00:05:41.030 --> 00:05:43.280 align:middle line:84% address and our password list file. 00:05:43.280 --> 00:05:59.230 align:middle line:90% 00:05:59.230 --> 00:06:02.440 align:middle line:84% Two seconds was the time needed to find a password 00:06:02.440 --> 00:06:04.810 align:middle line:90% on a simple workstation. 00:06:04.810 --> 00:06:06.670 align:middle line:84% Let's now see whether it really works. 00:06:06.670 --> 00:06:25.350 align:middle line:90% 00:06:25.350 --> 00:06:28.250 align:middle line:84% In fact, it does, and we are now logged in as admin. 00:06:28.250 --> 00:06:34.610 align:middle line:90% 00:06:34.610 --> 00:06:38.500 align:middle line:84% We said it before, and now you have seen it in practice. 00:06:38.500 --> 00:06:40.960 align:middle line:84% Although there's a password strength calculator 00:06:40.960 --> 00:06:44.050 align:middle line:84% in the sign-up form, strong password policies are not 00:06:44.050 --> 00:06:47.080 align:middle line:84% enforced, allowing five single-class-characters-long 00:06:47.080 --> 00:06:49.180 align:middle line:90% passwords. 00:06:49.180 --> 00:06:52.300 align:middle line:84% The recover password mechanism can be used as in Oracle 00:06:52.300 --> 00:06:56.320 align:middle line:84% to enumerate valid user accounts based on its response. 00:06:56.320 --> 00:07:00.130 align:middle line:84% And finally, the login does not implement a lockout feature 00:07:00.130 --> 00:07:02.530 align:middle line:84% based on failed login attempts, meaning 00:07:02.530 --> 00:07:04.390 align:middle line:84% that we can test as many passwords 00:07:04.390 --> 00:07:06.850 align:middle line:84% as we want for a single email address 00:07:06.850 --> 00:07:09.570 align:middle line:90% until we get the right one. 00:07:09.570 --> 00:07:11.760 align:middle line:84% In our next video, we will discuss 00:07:11.760 --> 00:07:13.560 align:middle line:84% what makes the application vulnerable 00:07:13.560 --> 00:07:16.190 align:middle line:90% and how to prevent it. 00:07:16.190 --> 00:07:17.000 align:middle line:90%