I thought we should have a place for us to learn from each-other and optimize best practices.
play nice and try not to be mean
Iāll startā¦
Overcoming two stage authentication with burpsuite
A common scenario that can be slightly annoying if you donāt have this little tip under your belt
The authentication flow:
- You have a Username & Password
- You have a Passphrase / word that only 'random characters are required from each login - such as the 3rd,5th and 8th letter
In Burpsuite under Proxy > Options > Match and Replace you can spend a little bit of time entering some html from the page requesting the characters and modifying the value=āā fields this will populate the right characters for a successful (automated) authentication
letās forget the username and password thatās just a post request, letās say we have entered that, and we are met with a page that tells us it needs the 1st,2nd and 4th character of my passphrase āhelloā
lets assume the html looks a little like this:
... Letter 1:<input name="letter1" type="password" value="">
we know letter one is ā@ā so we simply add the above line to the āmatchā and then in the replace input we add the correct value to the number
Match: ... Letter 1:<input name="letter1" type="password" value="">
Replace with: ... Letter 1:<input name="letter1" type="password" value="h">
We want it to automatically work out the full phrase based on the HTML 'Letter 1,2,3,4 or 5 (and so on) so we preprogram all the letters to the whole phrase (reguardless of how log it is letter 1 will always be āhā letter two will always be ānā if that HTML code isnāt called in the page then the match and replace has nothing to action, nothing bad happens.
... Letter 1:<input name="letter1" type="password" value="">
... Letter 1:<input name="letter1" type="password" value="h">
... Letter 2:<input name="letter2" type="password" value="">
... Letter 2:<input name="letter2" type="password" value="e">
... Letter 3:<input name="letter3" type="password" value="">
... Letter 3:<input name="letter3" type="password" value="l">
... Letter 4:<input name="letter4" type="password" value="">
... Letter 4:<input name="letter4" type="password" value="l">
... Letter 5:<input name="letter5" type="password" value="">
... Letter 5:<input name="letter5" type="password" value="o">
Donāt forget to add comments - just in-case you forget or someone has to pick up your work
This is also useful for assisting automated tools through the same journey, My old work place we use IBM Appscan and it cannot work round this, it only does username password for web authentication, but it is proxy aware so you can push it through burp and let burp take care of the tricky stuff.
2 Likes
I moved a post to a new topic: What are your favorite Firefox add-ons for penetration testing?
2 Likes
URLās From a threat perspective
A good interview question, and a fun one to think aboutā¦
http://secure.caseysleathermasks.au/shop/cart.php?i=13&cost=10.00&isadm=no&echo='you+just+purchased+the+choke+mask+<b>2000</b>!'
letāstalk about the possibilities here, look at the whole schema
( POST when we have exhausted this one)
2 Likes
I can see the following possibilities:
- Reflected XSS in the āechoā parameter
- CSRF on purchasing products
- Privilege Escalation to the administrator session, by changing the value of āisadmā parameter to āyesā
- Logical issue where a use can buy the product with $0 to $1.
- And of course, āHTTPā + āsecureā canāt be together
I guess thatās all obvious issues to think about from the first look.
1 Like