Python - Auth Bypass - 1
$ sudo docker pull blabla1337/owasp-skf-lab:auth-bypass-1
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:auth-bypass-1
Now that the app is running let's go hacking!
While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the log in page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.
In addition, it is often possible to bypass authentication measures by tampering with requests and tricking the application into thinking that the user is already authenticated. This can be accomplished either by modifying the given URL parameter, by manipulating the form, or by counterfeiting sessions.
Obviously, an attacker can tamper with the URL, the form or the session cookie in order to get logged in as a user without knowing the actual credentials.
The goal of this lab is to get logged in as an administrator without knowing his/her credentials
Lets start the application and register a new user
Now that we have valid credentials, we can login:
We can capture the login in the burpsuite proxy and send it to the repeater. We notice that with every login, the session cookie stays the same. It is high likely that this sessionid is related to our user name:
If we quickly google for this sessionid, we find that the sessionID seems to be corresponding to 'user':
We can check try to identify the hash:
it seems to be a sha1...
Ok, let's lookup the hash of 'admin':
Now we can set our sessionID to the sha1 hash of admin:
Click 'proceed' to go to the authenticated section of the application: