Broken Authentication
SAML Auth Bypass
Workflow
Tamper Username/Email
A weak SAML implementation would not validate the signature and thus allow an attacker to access the account of another user.
Comment Injection
An XML canonicalization transform is employed while signing the XML document to produce the identical signature for logically or semantically similar documents. (Different positions will still have the same meaning)
Canonicalization engine ignores comments and whitespaces while creating a signature.
The XML parser might parse the below example in 3 parts.
text: notsosecure
comment: <!-- this is a comment -->
text: user@webhacklab.com
The XML parser returns the last node, which might allow you to log in as user@webhacklab.com
.Net Machine Key Auth Bypass
Machine Key is used for encryption and decryption of forms authentication , cookie data, and view-state data, and for out-of-process session state identification.
This is configured in the web.config file.
The following are encrypted with a Machine Key
Authentication tokens
Forms(ASPXAUTH)
OWIN - OAUTH Token
ASP.NET Cookie (.AspNet.ApplicationCookie)
Webresource.axd & Scriptresource.axd
VIEWSTATE
CSRF Token
Password Reset Token
Role Cookie
Membership Passwords etc.
Testing for Leaked Machine Keys
Copy the 'ASPXAUTH' and test it with AspDotNetWrapper.exe
Exploitation
Enumerate valid usernames
Encrypt a new cookie with the privileged username.
Replace 'ASPXAUTH' cookie during login, leading to auth bypass.
Weak Encryption
Electronic Codebook [ECB]
ECB is an encryption mode in which the message is split into blocks of X bytes length and each block is encrypted separately using a key.
Using ECB has multiple security implications:
Blocks from encrypted message can be removed without disturbing the decryption process.
Blocks from encrypted message can be moved around without disturbing the decryption process.
Vulnerability
If application relies only on the ECB encryption of cookies for integrity.
Encryption provides confidentiality.
Signature provides integrity.
ECB mode allows an attacker to tamper the encrypted data without decrypting it.
Exploitation
Assumptions:
Web app does not validate the 'password' part in the cookie.
Cookie value is not randomized for User X for each successful login.
URL Decode - > Base64 Decode the cookie. Check if the HEX values are repeated.
If yes, identify the block size by creating a user/password with large string of same characters. For eg: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'. For example, if the hex values are repeated after 8 bytes, the block-size=8 bytes
Assuming Block-size is 8 bytes. We will create a user 'aaaaaaaaadmin'. Decode the cookie. Delete the first 8 bytes from the cookie. Encode the new cookie using Base64. Replay this cookie with requests to impersonate user 'admin'.
Last updated