Ethical Hacking and Penetration Testing Guide
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Real-World Example
- Authentication Bypass Attacks
- Authentication Bypass Using SQL Injection
|
Real-World Example
The same security researcher, Ajay, managed to bypass CAPTCHA and other restrictions for etsy. com for the second time simply by changing the user-agent to the following one: “Galaxy ACE S5830 and User Agent (Mozilla/5.0 (Linux; U; Android 2.3.6; en-gb; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1)” After he changed the user-agent, there was no CAPTCHA, no account lockout, no IP-based restriction, which etsy.com had implemented for protecting against brute force attacks. This sim- ply means that an attacker could write a script that would send this user-agent and bypass all the restrictions. This screenshot shows a burp intruder sent by the researcher, where by changing the user- agent, he was able to guess the correct password on the 228th attempt. We can see the change in the content length after the 228th guess. Authentication Bypass Attacks Now that we have talked about brute force/dictionary attacks and various methods to bypass CAPTCHA and accounts lockout protection, we will now move on to more interesting attacks that would help us bypass the authentication mechanism entirely. Authentication Bypass Using SQL Injection SQL injection is one of the first methods that you should test a log-in form against; the vulnerabil- ity occurs due to lack of input validation/filtering. The attacker’s input is made the part of the SQL Web Hacking ◾ 331 query, which allows the attacker to do multiple things such as data retrieval and reading system files such as /etc/passwd ; however, here our only focus is using SQL Injection to bypass the authentication mechanism. Let’s take a look at a potentially vulnerable code that would result in an SQL injection: Code $query="SELECT * FROM users WHERE username='".$_POST['username']. "' AND password='". $POST_['password']."'" response=mysql_query($query); ?> As we can see, line 2 accepts two user inputs: a username and a password. The username and password inputs are accepted from a user, and then without any validation they are inserted as an SQL query and later executed. The username and password would then be compared with the data- base to see if they match; if they do, the user would be authenticated, if not, an error would pop up. This is how the query would be executed: SELECT * FROM users WHERE username = 'administrator' AND password = 'mypass' This query would retrieve the details of username “administrator” with the password “mypass” from the table users. Yüklə 22,44 Mb. Dostları ilə paylaş:
|