Broken Authentication
Start course

This course focuses on API Security and explains the kinds of vulnerabilities that we can find inside APIs, how to exploit them, and how to secure them as well. These skills will allow you to obtain bug bounties from vulnerabilities and also protect your own APIs as well.


Hi, within this lecture, we're going to solve the second challenge in our API. So, I'm going to close down all these tabs. Okay, so far, we have solved only the first one. Now, we are down to the second one. So, in the second one, we have a new challenge called broken authentication and we have two endpoints over here, one of them is POST. So, we're logging in I believe and it will ask us for an email and password and then we can get something which is the user details. So, when we get something, we need to give an authorization token and we get that authorization token by simply logging in. So, let's see the challenge over here because there is no additional information over there. So, I'm going to into the Postman and just go to the User Login.

Okay, so right now, I'm inside of my Postman. Of course, I'm using the same old collection that we have been using so far and if we click on the 'User Login', then we can see the headers and I believe we don't need to change any headers right now and for the Body, it will ask for an email and password and there is a Test as well. Once we log in, again it will give us some kind of authentication token and it will save that token inside of the get request. Okay, it does not say it right now, it says unresolved variable as we expect and there is nobody in the get request. So, if we can log in, then we can get the details if we can get the user details. Okay, that's simple. So, let's look for hints. It says that we don't have to seem the credentials for this. How do we log in? That's a good question. So, there is something in the resources folder. Okay, so we have another supportive instrument over here. I'm going to go into the resources folder and here you go. In the API2, we have something called creds.csv. So, this is credentials I believe. So, let me open it and see what it is. Okay. So, if you excel on your computer, then it's great and open it and just see what's inside of it. So here you go, as you can see we have some kind of email and password combinations over here. So, brown grimes and it goes up to 1000 users and passwords. So okay, we're going to try them but I believe the scenario here is that there is a leak like that. So, we're just trying to log in with any of this. So, I grabbed the first one. I just pasted the email from here and I'm going to and get the password as well. So, let's get the password for this brown. So, I'm going to copy this, get back to the Postman and just paste the password.

I'm going to send this request and see what happens. Here you go, we are not successful. For the success, we get a false and because of this user name or password incorrect. Okay. So, what we need to do? We need to try 1000 users and passwords obviously. Okay so, one of them should be working and the scenario over here is that we found a data leak on the internet, on the dark web on some forums and we are trying to see if we can log into the system with one of those Credentials. Right? Of course, we can try one by one but it will take a lot of time. So, we need to find a way to brute force. We need to find a way to try them automatically. There is there isn't any way to do that with the Postman because this is not a penetration testing tool but of course, there is a way to do this with Burp Suite. So, we need to find a way to connect Postman with the Burp Suite.

Okay, so all you need to do is just open the Burp Suite and make sure you have this proxy that we have given before port 8080 and we're going to give the exact same number, exact same proxy to the Postman. In order to do that, we need to find the proxy settings of the Postman. So over here, we have the Capture requests and cookies that is not what we are looking for I believe. Let me see what was this. Yeah, here we go. This is to capture the request in the Postman. This is not what we're looking for. We need to capture the request in Burp Suite. We have Postman. So, I'm going to the settings and I'm going to just open the settings and let's see, here we go. We have the Proxy tab over here. So, inside of the proxy tab, you can find this 'Add a custom proxy configuration' and make sure you choose HTTP and HTTPS as well. So, for the proxy server I'm going to give and for the ports, make sure you give the exact same port you have given inside of the Burp Suite.

So, remember this was the credential that we have given, local host and port 8080. So, if this was a broader, then we will just open the proxy or just change the proxy settings. This is exactly what we're doing over here. Right? So, we are giving the same proxy to the Postman and Burp Suite as well. So let's try it. I'm just going to come over here and turn the intercept on. Let's see the options are the same as you can see. Now, Intercept is on. Now, I'm going to try to send this one more time and here you go, it's not going through because we captured it in the Burp Suite. Here you go. That's great. Now, we have the request over here. Now, let me try to find the font settings of the Burp Suite because it's a little bit small right now. So, I believe it's inside of the preferences or maybe we can come over here to User options and Display. Yeah, here you go. Of course, you can do that if you want but if you don't want you can just leave it on.

So, I'm going to change this to be 16. And I believe that's not the thing that we're looking for because it's not bigger right now. So, I'm going to go back. And here you go. This is the one that I'm looking for. I'm going to make this something like 17 or 18. Let's go back and change this to 15. And here we go. Now, it's much better. As you can see, this is the request that we are trying to send. If I look over here I can see the POST. So, it's going to log in and if I forward this this will just go through but I don't want that. What I want to do is to change this email and password repeatedly so that I can try to see which credential works. So for right now, I have this packet. If I forward this packet by clicking on this left button on the top side. Okay, this one. It will just forward this to the server. If I drop this, it won't get to the server. If I turn the intercept off, it will just go to the server but I don't want to do that. I want to change this email. How do I do that? I can right click and just send this to the Intruder or Repeater. For right now, I'm just going to go to the Repeater because I want to show you something. I can come to the repeater and just send this request as many as I want and I can change the email and password from here. Okay. As you can see, this is still in the Proxy section. But in the Repeater I can just try this one by one by changing the email and password. And if I get the success response, then it's okay but of course, that is not what I want to do. Right? So, if I copy this and paste this over here, let me show you this actually works. I'm just going to copy the password as well, paste this over here and 'Send' this request and here you go. Again, we get the false as a success. So, it's not successful. So, this is a way but of course, it doesn't make sense because it will just take as many time as we would have by just changing the email and password in the original request. Right? So, there is another module inside of the Burp Suite called Intruder. If I send this to the Intruder by right clicking, now I can actually brute force. So, the first thing on the intruder is the target. So, host import should be, by default, correct? Okay, this is the IP address and this is the port the http port. What we're interested in is the Positions. So, if you go to Positions as you can see email and password are highlighted. So, Burp Suite understood that we're going to brute force this email and password. If we want to change the parameters that we are going to be brute forcing, of course we can do that. We can just come over here and select 'Clear'. It will it will clear all the selections and then we can add some new parameters again. Okay, that is a possibility. But in this case, email and password are highlighted for me. So, it means that we are good to go. What we're going to do? We're going to give some values to replace the email and password automatically. In order to do that, I am going to change the attack type. So far we have sniper over here and sniper is good for one parameter only. Pitchfork is actually good for two parameters so that we can change the email and the password. And there is some other options like battering ram,  we're going to see them later on. Right now I have chosen pitchfork. And in the payload section, we're going to give the values that we want to try. As you can see in the payload options it asks for a list and we can just copy and paste the list or we can just insert them one by one, whatever you want to do. However, of course, we're just going to copy and paste them. So, let me try to delete the hyperlink from here. Here you go. Right now as you can see we have the user name and password on the same section. But over here we have to give the first and second list one by one because we're going to be using first list for the email and second list for the password. We can just select the first list and second list from here. For the first list, we're going to copy and paste the emails and for the second list we're just going to copy and paste all the passwords. So, I am going to be using something called text to columns. So, go to the data and use text to columns. So, maybe you know how to use the Excel, maybe not. I am just going to go for the delimiter and choose the comma. So, what it does that it actually finds everything splitting with comma and just split it into two columns. Everything separated with a comma and they split it into two columns. Right now I have one column as user names and other columns for passwords. So, I can just paste the user names over here and choose the second list, and just select copy and paste the password here. As you see right now, I have the first list and the second list as well. So, we have chosen the pitchfork. What pitchfork will do is to choose the first list for the first parameter and the second list for the second parameter. As we start the attack, you can see it's working. So, for the first payload, we can see emails coming in. For the second payload we can see the passwords coming in. That is very good. But right now we're going to have to wait a little bit. Because we are using the Community Edition which is the free version of the Burp Suite. And in the free version it actually throttles us. It actually speeds down things. So, if you pay for it then it's going to be very fast, but if you don't pay for it you're going to have to wait. And it can take like an hour or maybe two hours. I don't know. It's going to take a lot of time. Trust me. So, as you can see, if you click on any of these trials, you can see the response from here. And also you can see the state's numbers which is 401 right now. If you get something like 200, then it's okay; 200 means that everything is okay. If you get 500 for example, it's called internal server error. If we get a 404 it means that it couldn't find the thing that we are looking for. Right now we're getting the response but it's not a success. So, we can filter the status out once it's done obviously and we can just select the 200 and see the working credentials. In order to do that, I am going to pause the video and once it's done or once I see the 200, I will come back and I will actually show you the results. Don't worry about it. So, here you go. Now it's done for me. Obviously I have paused the video and now I am resuming it. I found that in the 455 trial. Since we are using the same credentials, it's going to be the same for you I believe. But if you just ordered this by status, you can see this status is 200 and if you double click on it you can see the request. So, this is savannah, savannah user is the thing that we are looking for and we can see the success and also token as well. So, what we need to do, we need to first start this. So, I am going to send this to repeater by right clicking it. So, I am going to go back to the intruder and I am just going to stop this. If you click on this, it will ask if you want to continue in the background. I am just going to discard it because I don't want to continue, I already found what I am looking for. So, I am going to open the Burp Suite one more time. Go to repeater. By the way, before going into the repeater you may want to uncheck this URL-encode these characters for both lists, if you encountered any problem. So, that maybe the problem for you. But right now, I am just going to send this request and see the token one more time. And by the way you don't need to wait until your brute force has been finished or something like that. You can just use this email and password. If you understood what's going on then it's okay. So, I am going to turn the intercept off and go back to the Postman and just use that information. I am going to go to the repeater. We can just use this email and password or we can just grab the token and set it as a variable inside of the Postman. But I am just going to go for this. I am going to copy this and paste over here. And then I am just going to send this. And here we go. Again we get the success true and we get the token. Right now this token should have been set as a variable inside of the Postman. If not, you can just copy it from here and give it to the Get details and point over here as a header. So, you can just copy this from here or from the Burp Suite like this, and come over there and just give it as the authorization token over here, delete this variable and just paste it. That will be okay. So, right now, I have this. So, what I want to do, I  am just going to come over here and just send this request because there's nothing inside of the body. And once I send it, as you can see we get something back like this. So, we get some ids, we get some tokens and addresses and stuff, and here you go. So, we have all of those things. And I believe inside of this we have a flag. Here you go. We have a flag. That means that we have solve this challenge. And the challenge over here, the vulnerability over here, is that they do not have rate limiting. They do not have rate limiting so that we found some data leak from the Internet, from the dark web or somewhere. We tried every credential with the help of Burp Suite and paid off. We found a credential that is working. If they had implemented at a rate limit, maybe after fifth trial or sixth trial, then it would have stopped us, but they didn't, and we managed to get something. So, I am going to turn off the proxy before I forget it. And I am going to stop here and continue within the next lecture for the challenge three.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.