To identify user and maintain the session are issued by the website and these are stored in your file storage by your browser. Cookies are created when user browse any website just to keep track of your movements within that website, remembering your login. Cookie allow server to store and retrieve data from the client the data can be such as a unique id assigned to client by the website etc.
Type: There are two types of cookie:
· Session cookie: It is used to check authenticity of user and are only assigned when your logs into the website.
· Persistent cookie: Persistent cookie remains in the browser’s subfolder for the duration period set within the cookie’s file and they can be used for analytics and other purposes. …
Before moving to further we must familiar with CSRF. Please check my previous blogs on CSRF.
To protect against CSRF attack most of the application uses CSRF token protection with a token of very high entropy, besides CSRF token some applications uses referrer header validation to protect against CSRF attacks.
While accessing any application “referrer header” helps server to recognize from where request is coming or who is originator of the request. …
Before moving further for exploitation, we must familiar ourselves with OAuth. For this, please do check previous blog of mine i.e.
There is an application that allows users to log in via social media. It uses OAuth to do the authentication of the user from a social media website.
As I click on “Login with social media,” it redirects me to a login page. After providing the credentials, it redirects to the website and authentication was successful, intercept the login request using burp suite.
Intercepted request looks like of the OAuth look like:
Before moving to further, we must familiar with Active directory. For this, please check my previous blog .
It will give description about AD and if you want to know about authentication method go with this blog
There are three methods to bypass AD authentication, we will discuss one by one.
As in my previous blog I already discuss Kerberos, which store organizations hashed credentials somewhere to regenerate TGT request or in LSASS (Local Security Authority Subsystem Service).
So if anyhow we can get access of these hashes then we will further try to crack those hashes. Therefore, our initial aim to get access of these hashes. …
There are multiple authentication methods which AD uses but here we will only learn about two methods which are Kerberos and NTLM.
Many protocols over internet do not provide security to applications or attacker able to sniff the traffic and client server architecture depends on clients and their identity. Some application use WAF, network firewall to secure applications behind them but somehow they can also be bypassed.
Therefore, to overcome these security problems we use NTLM, Kerberos.
It is a default authentication protocol in windows 4.0. It uses a challenge-response mechanism for authentication. …
For authentication and authorization on window platform, Microsoft itself provide a directory service that known as Active Directory. It is a centralized repository for user credentials.
It is a directory service, dispersed in structure, used for securing, updating, managing and organizing computers based on window’s OS at very large scale. It divide whole window base infrastructure to groups, users and network devices. AD saves data as objects; these objects are individual such as group, device or services.
Example: An organization have 100 employee and these 100 employees associated with different user groups. Therefore, by using AD we can implement policy to different group and in sort span of time and we can successfully implement policy for 100 employees. We do not need to set it up for every computer of the organization, instead just set it on the AD and it will be applied to every computer of the organization. …
With real world example:
Word press is a content management system (CMS) that is free and used for website and blogs creation. WordPress has been developed in PHP and mostly use MySQL as an backend database
Word-Press has versatility by which we can create multiple website based on different platform such as blogs, E-Commerce and much more . It uses themes and plugins for different activities so there is not need to learn coding you can use the plugins and themes to create a full fledged website.
Benefits: Some benefits are mentioned below:
1. Easy implementation, in a single click we can install it. …
It is an way by which users can grant access to their information on the other website without sharing the password. OAuth is an standard which governs that how the application is going to fetch the information from the other website. There are few components which is being used in this these are:-
Authorization Server: This maybe an application such as Facebook, Google which originally have your information..
Client Application/Client Resource: Any application which want to fetch your information from the website which originally have it. (Fetching the information from the authorization server).
So let suppose while applying for a job on any company their website asks you to login or to fetch your information from the Google or Facebook now instead of creating the account on the website you choose to fetch the information from the facebook. You click on Login with Facebook button, the application opens up a popup windows and asks for your facebook credentials as soon as you provide the facebook credentials application asks you to authorize the job company so that it can fetch the information from the website. As soon as you click on the authorize facebook provides a secret access token to the job company which can use this to fetch your information from the Facebook. …
Here we discuss a step-by-step procedure to exploit the machine. Named as “w34kn3ss”
After importing this machine into the virtual box I tried it using the bridged connection. The information about the machine is given below
Attacker machine: Here I am using kali machine as an attacker and the IP address of the machine is 192.168.0.180.
To find the target IP address from kali we use “netdiscover command”.
Command: Sudo netdiscover
Use: sudo gives us superuser rights to perform commands or tasks and netdiscover is an active/passive address gathering tool.
With a real-world example:
Un-validated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input.
In redirect response, code is 302, and response “Location” header set to new URL. So in redirect domain is totally different. But in forwarding domain is the same so the application will use the same request attributes and headers.
This is a website where URL parameter is redirected to test.com. …