In this section, we will discuss about how to check and find broken authentication using IronWASP. For demonstration purpose, we would make use of the demo application which is provided by IronWASP like we had used earlier for learning on how to finding CSRF Vulnerabilities.
Now when you login to the demo application, you would find a series of links which are accessible only if a users is logged into the app. i.e. this set of links are only accessible after valid authentication into the app. Sometimes you may have come across a case were this links may be accessible without valid authentication/login. The reason for this can be during development/coding phase there may have been a case where the programmer may have made a mistake in enforcing the authentication which make the link vulnerable. So here our main job would be to test and find out those link or url which are accessible without valid login.
In general, the links which are present in an application can be manually tested to make sure that they are not vulnerable or broken but doing so would sometimes be time consuming & hectic task at times if the application have a bunch of links. But when it comes to IronWASP, the tool perform this task smoothly by automating the process for testing and validate broken authentication.
To test broken authentication using IronWASP, from IronWASP tool invoke Interactive testing tools menu and select 'Test for Broken Authentication'. This would open up a window as shown below where it would ask to select all logs or customize & include specific logs in your test. In my case, i had selected the host name, All logs for logs and then click on the 'Find Suitable Candidate' button.
Note: Before moving on to test for broken link authentication, our first task that we need to perform is to browse through the demo application (all links/pages) once so that the logs will be automatically generated in log section of IronWASP tools which in turn will help us to perform the broken authentication test easily.
After selecting the desired parameters in the configure phase (for broken authentication), it re-direct to 'Select Candidate' phase where you would view all the log requests/responses that was captured by the tool when you had browsed the application manually. Now here we simply need to customize our settings by selecting/di-selecting the desired methods that we want to include in our test (i.e. if you wish to include only 'GET' method and exclude 'Post' method then select them) and then click on the 'Test selected candidate' button.
On clicking on 'Test selected candidate' button, the tool start testing i.e. it automatically visits each links/pages that we had included in our test and check for broken authentication. Here what IronWASP does is, it visit all the URLs that we have selected from the logs and compares the responses that is generated for the URL/Links when not logged into the app with the responses of the same Link/URL that was captured earlier when we manually visited/accessed logging in to the app. Here it actually checks whether the response of the URL after logging out from the app is same as that off what was generated earlier. And if the responses of both valid & invalid request are same then the tool confirm that the URL/Link is vulnerable thereby highlighting the particular link in 'RED' and that the link is accessible without valid authentication.
You can find the broken links from the percentage of difference in response due to invalid Session ID. In my case as shown in the screenshot below, you can make out that the percentage of difference was "9" means even though i was logged out of the application the server gave a very similar response for the same URl (link) when logged in/out of the app which is incorrect and that the page can be accessed in the browser through the URL/link directly without logging into the app.
To view the valid/invalid responses, move to Invalid/Valid Session Request/Response tab and then click on the render link. This would show both valid & invalid responses which is quiet similar which thereby confirms that the specified URL is vulnerable and can be accessed by any anonymous users directly without valid authentication to the app.
To confirm once whether the URL/Link is vulnerable or not, you can directly access the infected URL in the browser without logging in to the app.
My Learning Material / Reference:
Site Address:
http://ironwasp.org/index.html
http://hack-tools.blackploit.com/2014/04/ironwasp-2014-one-of-worlds-best-web.html
http://securitybyte.org/resources/2011/presentations/ironwasp.pdf
Video Tutorial Link Reference:
Click Here
Now when you login to the demo application, you would find a series of links which are accessible only if a users is logged into the app. i.e. this set of links are only accessible after valid authentication into the app. Sometimes you may have come across a case were this links may be accessible without valid authentication/login. The reason for this can be during development/coding phase there may have been a case where the programmer may have made a mistake in enforcing the authentication which make the link vulnerable. So here our main job would be to test and find out those link or url which are accessible without valid login.
In general, the links which are present in an application can be manually tested to make sure that they are not vulnerable or broken but doing so would sometimes be time consuming & hectic task at times if the application have a bunch of links. But when it comes to IronWASP, the tool perform this task smoothly by automating the process for testing and validate broken authentication.
To test broken authentication using IronWASP, from IronWASP tool invoke Interactive testing tools menu and select 'Test for Broken Authentication'. This would open up a window as shown below where it would ask to select all logs or customize & include specific logs in your test. In my case, i had selected the host name, All logs for logs and then click on the 'Find Suitable Candidate' button.
Note: Before moving on to test for broken link authentication, our first task that we need to perform is to browse through the demo application (all links/pages) once so that the logs will be automatically generated in log section of IronWASP tools which in turn will help us to perform the broken authentication test easily.
After selecting the desired parameters in the configure phase (for broken authentication), it re-direct to 'Select Candidate' phase where you would view all the log requests/responses that was captured by the tool when you had browsed the application manually. Now here we simply need to customize our settings by selecting/di-selecting the desired methods that we want to include in our test (i.e. if you wish to include only 'GET' method and exclude 'Post' method then select them) and then click on the 'Test selected candidate' button.
On clicking on 'Test selected candidate' button, the tool start testing i.e. it automatically visits each links/pages that we had included in our test and check for broken authentication. Here what IronWASP does is, it visit all the URLs that we have selected from the logs and compares the responses that is generated for the URL/Links when not logged into the app with the responses of the same Link/URL that was captured earlier when we manually visited/accessed logging in to the app. Here it actually checks whether the response of the URL after logging out from the app is same as that off what was generated earlier. And if the responses of both valid & invalid request are same then the tool confirm that the URL/Link is vulnerable thereby highlighting the particular link in 'RED' and that the link is accessible without valid authentication.
You can find the broken links from the percentage of difference in response due to invalid Session ID. In my case as shown in the screenshot below, you can make out that the percentage of difference was "9" means even though i was logged out of the application the server gave a very similar response for the same URl (link) when logged in/out of the app which is incorrect and that the page can be accessed in the browser through the URL/link directly without logging into the app.
To view the valid/invalid responses, move to Invalid/Valid Session Request/Response tab and then click on the render link. This would show both valid & invalid responses which is quiet similar which thereby confirms that the specified URL is vulnerable and can be accessed by any anonymous users directly without valid authentication to the app.
To confirm once whether the URL/Link is vulnerable or not, you can directly access the infected URL in the browser without logging in to the app.
My Learning Material / Reference:
Site Address:
http://ironwasp.org/index.html
http://hack-tools.blackploit.com/2014/04/ironwasp-2014-one-of-worlds-best-web.html
http://securitybyte.org/resources/2011/presentations/ironwasp.pdf
Video Tutorial Link Reference:
Click Here
