Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun. Our latest post on brup suit is here
1. Set the browser proxy to Burpsuite
2. In the Burpsuite, go to Proxy -> Intercept -> “Intercept is on”
3. Go to Proxy -> Option -> “generate CA-signed per-host certificates” for each time the user connects to a SSL protected website, Burpsuite will generate a server certificate for that host, signed by a unique CA certificate which is generated in Burpsuite during its installation. The purpose of this is to reduce the SSL errors that occur because of the proxy in between
Types of Authentication
1)HTTP-Basic Authentication
HTTP-Basic authentication uses a combination of a username and password to authenticate the user. The process starts when a user sends a GET request for a resource without providing any authentication credentials. The request is intercepted by Burpsuite and looks something like this.
The server responds back with a “Authorization Required” message in its header. We can see the packet in Wireshark. As we can see from the header, the authentication is of the type “Basic”. The browser is quick to recognize this and displays a popup to the user requesting for a Username and a Password. Note that the popup is displayed by the browser and not the web application.
Once we type in the username and password and intercept the request again using Burpsuite, we get something as shown in the figure below.The last line says “Authorization: Basic aW5mb3NlYzppbmZvc2VjaW5zdGl0dXRl”. This is basically the extra thing being passed in the header now. The text after Basic holds the key. These are basically the credentials in encoded form.The username and password are concatenated with a colon (:) in between and the whole thing is then encoded using the Base64 algorithm
One of the problems with HTTP-Basic Authentication is that the data is being passed over in plaintext. This risk can be removed by using SSL, which will send the data in encrypted format, and hence the value in the Authorization header will not be visible. However it will still be vulnerable to many client side attacks, including MITM. It is also vulnerable to Brute force attacks which we will see in the coming sections
2)HTTP-Digest Authentication
Digest Authentication was designed as an improvement over the HTTP Basic Authentication. One of the major improvements is that the data is not passed over in cleartext but in encrypted format. The user first makes a request to the page without any credentials. The server replies back with a WWW-Authenticate header indicating that credentials are required to access the resource. The server also sends back a random value which is usually called a “nonce”. The browser then uses a cryptographic function to create a message digest of the username, password, nonce, the HTTP methods, and the URL of the page. The cryptographic function used in this case is a one way function, meaning that the message digest can be created in one direction but cannot be reversed back to reveal the values that created it. By default, Digest authentication uses MD5 cryptographic hashing algorithm.
Digest Access authentication is less vulnerable to Eavesdropping attacks than Basic Authentication, but is still vulnerable to replay attacks, i.e., if a client can replay the message digest created by the encryption, the server will allow access to the client. However, to thwart this kind of attack, server nonce sometimes also contains timestamps. Once the server gets back the nonce, it checks its attributes and if the time duration is exceeded, it may reject the request from the client. One of the other good things about Digest access authentication is that the attacker will have to know all the other 4 values (username, nonce, url, http method) in order to carry out a Dictionary or a Brute force attack. This process is more computationally expensive than simple brute force attacks and also has a larger keyspace which makes brute force attack less likely to succeed.
3)Form Based Authentication
Form Based Authentication uses a form (usually in html) with input tags to allow users to enter their username and password. Once the user submits the information, it is passed over through either GET or POST methods via HTTP or HTTPs to the server. On the server side if the credentials are found to be correct, then the user is authenticated and some random token value or session id is given to the user for subsequent requests. One of the good features of Form Based authentication is that their is no standardized way of encoding or encrypting the username/password, and hence it is highly customizable, which makes it immune to the common attacks which were successful against HTML Basic and Digest Authentication mechanisms. Form Based Authentication is by far the most popular authentication method used in Web applications. Some of the issues with Form Based Authentication is that credentials are passed over in plaintext unless steps such as employment of TLS (Transport Layer Security) are not taken.
Enumerate Web Authentication
- Go to the form and submit a request using any username/password for now, then intercept the request. Once you have the request, right click on it and click on “send to intruder”
- Go to intruder tab -> under the target tab -> configure the target
- Go to position tab of intruder tab -> Hit clear button -> Highlighted user,password text and hit add button
- Change the attack type “sniper” to “cluster bomb”
- Go to payload tab -> select payload set 1 -> hit load button -> choose the file that contain list of username
- select payload set 2 -> hit load button -> choose the file that contain list of password
- Go to option tab -> Selected “store requests” and “store response”
- Click on intruder on the top left and click on “start attack”
Click here to read in details. Thanks to author Prateek Gianchandani
{ 6 comments… read them below or add one }
I think this summary tutorial is from my blog.
http://r00tsec.blogspot.com/2012/01/howto-hacking-web-authentication-with.html
Hi materaj happy new year. We checked it and the last part Enumerate Web Authentication matches with your post.
If you want we can modify it….
Thanks
Sorry, but by howto-hacking-web-authentication-with.html NOD32 is detected virus – HTML/ScrInject.B.Gen (VirusTotal report – http://www.virustotal.com/file-scan/report.html?id=fc1d5831d3c7028eeb8a44f26cdad3bfa9f88e83dc781b6be9da5748389aa62f-1326114210).
Interesting. I don’t think that the HTML page belongs to pentestit.com as I am not able to reproduce those errors again – http://www.virustotal.com/url-scan/report.html?id=b83d3bd59f03d0082e53dbaf7b22cdda-1326112572
Still, requesting for a possible review. Thanks for reporting.UPDATE: The link that you have analysed is from the r00tsec blog. Not ours. :-)
No, it’s not necessary. I just want to tell you. :)
Yup Compilado de enlaces. Tutorial is great