forked from juice-shop/juice-shop
-
Notifications
You must be signed in to change notification settings - Fork 2
Lab 05 Broken Authentication
Tomas Rosenqvist edited this page Nov 16, 2018
·
17 revisions
One (naive) way to gain entry to a password-protected system is to simply try all possible password combinations, for example by first trying "a", then "b", and so on until you reach "ZZZZZZZZZZ" or something similar. However, since passwords are often not chosen at random, you can speed up this time-consuming process by making more selective guesses. You can easily find lists of varying length containing the most commonly used passwords. By feeding these to a fuzzer, the fuzzer can try each of them for you.
This lab assumes that we (the attacker) knows there is an admin account named admin@juice-sh.op, but doesn't know the password for it.
- Download the password dictionary to your computer.
- Start OWASP ZAP.
- Launch Firefox with ZAP as its proxy by selecting Firefox in the dropdown and then clicking the "Launch Browser" button.
- Enter your Juice Shop url.
- Go to the Login page and attempt to login using
admin@juice-sh.opas the username and a random non-empty password. - Check the History tab in ZAP.
- Select the most recent HTTP POST request and inspect the request and response.
- Right click the POST request and choose Attack -> Fuzz.
- Select the password you entered in the Body and click Add.
- Click Add and add a File Fuzzer, using the dictionary you downloaded in step 1 as the source.
- Start the Fuzzer.
- Check if any of the fuzzed requests generated anything useful.
- How could this vulnerability be negated in the application?