Image for post
Image for post

Cookie:

To identify user and maintain the session are issued by the website and these are stored in your file storage by your browser. Cookies are created when user browse any website just to keep track of your movements within that website, remembering your login. Cookie allow server to store and retrieve data from the client the data can be such as a unique id assigned to client by the website etc.

Type: There are two types of cookie:

· Session cookie: It is used to check authenticity of user and are only assigned when your logs into the website.

· Persistent cookie: Persistent cookie remains in the browser’s subfolder for the duration period set within the cookie’s file and they can be used for analytics and other purposes. …


Image for post
Image for post

Before moving to further we must familiar with CSRF. Please check my previous blogs on CSRF.

https://gupta-bless.medium.com/exploiting-csrf-as-a-privilege-escalation-vulnerability-58bf0673cb88

https://medium.com/p/csrf-while-creating-group-albums-with-public-rights-ddb7d87e52c8

To protect against CSRF attack most of the application uses CSRF token protection with a token of very high entropy, besides CSRF token some applications uses referrer header validation to protect against CSRF attacks.

Referrer Header:

While accessing any application “referrer header” helps server to recognize from where request is coming or who is originator of the request. …


Image for post
Image for post

OAuth/Open Authentication:

Before moving further for exploitation, we must familiar ourselves with OAuth. For this, please do check previous blog of mine i.e.

Working/Exploiting:

There is an application that allows users to log in via social media. It uses OAuth to do the authentication of the user from a social media website.

As I click on “Login with social media,” it redirects me to a login page. After providing the credentials, it redirects to the website and authentication was successful, intercept the login request using burp suite.

Intercepted request looks like of the OAuth look like:


Image for post
Image for post

Attacking Active Directory Authentication:

Before moving to further, we must familiar with Active directory. For this, please check my previous blog .

It will give description about AD and if you want to know about authentication method go with this blog

There are three methods to bypass AD authentication, we will discuss one by one.

Cached Credentials Storage and Retrieval:

As in my previous blog I already discuss Kerberos, which store organizations hashed credentials somewhere to regenerate TGT request or in LSASS (Local Security Authority Subsystem Service).

So if anyhow we can get access of these hashes then we will further try to crack those hashes. Therefore, our initial aim to get access of these hashes. …


Image for post
Image for post

Active Directory/AD:

There are multiple authentication methods which AD uses but here we will only learn about two methods which are Kerberos and NTLM.
Many protocols over internet do not provide security to applications or attacker able to sniff the traffic and client server architecture depends on clients and their identity. Some application use WAF, network firewall to secure applications behind them but somehow they can also be bypassed.

Therefore, to overcome these security problems we use NTLM, Kerberos.

NTLM /Windows New Technology LAN Manager:

It is a default authentication protocol in windows 4.0. It uses a challenge-response mechanism for authentication. …


Image for post
Image for post

Active Directory/AD:

For authentication and authorization on window platform, Microsoft itself provide a directory service that known as Active Directory. It is a centralized repository for user credentials.

It is a directory service, dispersed in structure, used for securing, updating, managing and organizing computers based on window’s OS at very large scale. It divide whole window base infrastructure to groups, users and network devices. AD saves data as objects; these objects are individual such as group, device or services.

Example: An organization have 100 employee and these 100 employees associated with different user groups. Therefore, by using AD we can implement policy to different group and in sort span of time and we can successfully implement policy for 100 employees. We do not need to set it up for every computer of the organization, instead just set it on the AD and it will be applied to every computer of the organization. …


With real world example:

Image for post
Image for post

Word-Press:

Word press is a content management system (CMS) that is free and used for website and blogs creation. WordPress has been developed in PHP and mostly use MySQL as an backend database

Word-Press has versatility by which we can create multiple website based on different platform such as blogs, E-Commerce and much more . It uses themes and plugins for different activities so there is not need to learn coding you can use the plugins and themes to create a full fledged website.

Benefits: Some benefits are mentioned below:

1. Easy implementation, in a single click we can install it. …


Image for post
Image for post

OAuth/Open authorization:

It is an way by which users can grant access to their information on the other website without sharing the password. OAuth is an standard which governs that how the application is going to fetch the information from the other website. There are few components which is being used in this these are:-

Authorization Server: This maybe an application such as Facebook, Google which originally have your information..

Client Application/Client Resource: Any application which want to fetch your information from the website which originally have it. (Fetching the information from the authorization server).

So let suppose while applying for a job on any company their website asks you to login or to fetch your information from the Google or Facebook now instead of creating the account on the website you choose to fetch the information from the facebook. You click on Login with Facebook button, the application opens up a popup windows and asks for your facebook credentials as soon as you provide the facebook credentials application asks you to authorize the job company so that it can fetch the information from the website. As soon as you click on the authorize facebook provides a secret access token to the job company which can use this to fetch your information from the Facebook. …


Image for post
Image for post

Here we discuss a step-by-step procedure to exploit the machine. Named as “w34kn3ss”

After importing this machine into the virtual box I tried it using the bridged connection. The information about the machine is given below

Attacker machine: Here I am using kali machine as an attacker and the IP address of the machine is 192.168.0.180.

Finding the IP of Target machine:

To find the target IP address from kali we use “netdiscover command”.

Command: Sudo netdiscover

Use: sudo gives us superuser rights to perform commands or tasks and netdiscover is an active/passive address gathering tool.


Image for post
Image for post

With a real-world example:

Open Redirect/URL Redirection:

Un-validated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input.

· Redirect and Forward Difference:

In redirect response, code is 302, and response “Location” header set to new URL. So in redirect domain is totally different. But in forwarding domain is the same so the application will use the same request attributes and headers.

· Different ways to perform Open Redirect

https://somewebsite.com/redirect.php?URL=test.com

This is a website where URL parameter is redirected to test.com. …

About

Gupta Bless

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store