Skip to content

Lab 05 Broken Authentication

Jump to bottom
Tomas Rosenqvist edited this page Nov 16, 2018 · 17 revisions

Broken authentication

Challenge "Password strength"

One (naive) way to gain entry to a password-protected system is to simply try all possible password combinations, for example by first trying "a", then "b", and so on until you reach "ZZZZZZZZZZ" or something similar. However, since passwords are often not chosen at random, you can speed up this time-consuming process by making more selective guesses. You can easily find lists of varying length containing the most commonly used passwords. By feeding these to a fuzzer, the fuzzer can try each of them for you.

This lab assumes that the attacker (i.e. you) knows there is an admin account named admin@juice-sh.op, but doesn't know the password for it.

  1. Download the password dictionary to your computer.
  2. Start OWASP ZAP.
  3. Launch Firefox with ZAP as its proxy by selecting Firefox in the dropdown and then clicking the "Launch Browser" button.
  4. Enter your Juice Shop url.
  5. Go to the Login page and attempt to login using admin@juice-sh.op as the username and replaceme as the password.
  6. Check the History tab in ZAP.
  7. Select the most recent HTTP POST request and inspect the request and response.
  8. Right click the POST request and choose Attack -> Fuzz.
  9. In the bottom-left section, you can see the Body of the HTTP POST request you triggered manually.
  10. In the Body, select the string replaceme and then click Add.
  11. Click Add and add a File Fuzzer, using the dictionary you downloaded in step 1 as the source. This means ZAP will repeat the HTTP POST request once for each password from the password dictionary (i.e. 100 times).
  12. Start the Fuzzer and wait a couple of seconds for it to complete.
  13. The fuzzer output pane displays the HTTP status code and response body for each request, along with the password that was used for it.
  14. Check if any of the fuzzed requests generated anything useful.

Questions

  • How could this vulnerability be negated in the application?

Recommended reading

Clone this wiki locally