Exploiting authentication vulnerabilities

Authentication helps ensure that the person accessing a system is really who they’re supposed to be. As such, a system must have a rigid security protocol and well-defined user roles and policies to ensure that the attack surface is minimized, and in the case of a successful attack, the damage is mitigated. Sometimes, cracks may appear, either due to bad design or code or just plain bad luck (if developers are using external libraries and packages), and that’s when adversaries strike.

Let’s look at an example. Using header injection to poison the password reset request, an adversary can bypass authentication by using the password reset link themselves and changing the password to whatever they like. The steps to this approach are as follows:

  1. The adversary goes to the login page and clicks the “Forgot/Reset Password” button.

  2. A prompt pops up asking the adversary to put in an email address. The adversary inputs the email of their target.

  3. The web application sends out a POST request. The attacker captures it and edits it so that the resulting password-reset URL points to their own malicious web application instead.

  4. The adversary resends the POST request, due to which the target receives an email with the malicious URL.

  5. The target clicks on the URL, and the adversary gains the password-reset token since the adversary can note through their web application that they’ve received the token.

  6. The adversary can then use the token themselves to set a password for their target.

Consult the illustration below for a visual representation of the process.

Get hands-on with 1400+ tech skills courses.