hacking, owasp, web application security

The BodgeIT Store Series #5, Login as a Different User?! – #bodgeit #infosec #sqli #pentest #appsec #webapp

Happy hacking!

Today’s blog post is #5 in the BodgeIt Store series.

To view blog post #4, click HERE.

The challenges we’re going to solve are the following:

  1. Log into the application as test@bodgeitstore.com
  2. Log into the application as user1@bodgeitstore.com
  3. Log into the application as admin@bodgeitstore.com

Let’s begin.

Going to the application let’s go to the login page – screenshot:

bodgeit_login1

Reviewing the objectives we have the username (email), but we don’t have the password… Meaning we can’t log into the application… well let’s see.

We already know the application is buggy (our favorite!) so it will not be hard to deduce that the application is not sanitizing our input. Meaning we can append certain characters in the username box and bypass entering a password to log into the application.

What possibly are these characters?

We know that for a valid login there has to be an back-end database that is used to test the username and password. We have the username, but what if we trick the database with a true statement and allow us to log into the application without entering a password.

The topic that I am talking about is SQL Injection. Doing a Google search you will see there are plenty websites dedicated to this topic.

Let’s imagine that the back-end database is the following:

SELECT valid_login FROM customers WHERE username=uname AND password=passwd;

Note: valid_login will return a boolean (TRUE/FALSE)

The username is the email that we have plus the appended characters –> test@bodgeitstore.com’ OR ‘1’=’1

Password is going to be blank.

So the above line will be:

SELECT valid_login FROM customers WHERE username=’test@bodgeitstore.com’ OR ‘1’=’1 AND password=<blank>;

The password is going to be blank.

Let’s break down the above statement

We’re closing the test@bodgeitstore.com expression, and then we’re going to include a new expression using the OR statement. The next expression is 1=1 which will ALWAYS evaluate to true (1 does equal 1).

 

Try it in the application and see what happens.

First, let’s configure our browser to listen through our Burp proxy.

Going to the login page, let’s add the username of test@bodgeitstore.com’ OR ‘1’=’1′, with no password, and press the Login button.

See screenshots:

bodgeit_login1

burp_login_test

burp_login_test_successful

We’ve successfully logged in without a valid password!

Let’s see if we can do this with the second username: user1@bodgeitstore.com

bodgeit_login2

burp_login_user1

burp_login_user1_successful

We were able to log into the application as user1, without supplying a valid password!

Let’s try username: admin@thebodgeitstore.com

Going back to the login page, let’s enter the username as admin@thebodgeitstore.com without supplying a password.

bodgeit_login3

burp_login_admin

burp_login_admin_successful

We were able to log into the application as an admin without supplying a valid password.

Hmm… we see with the admin login we have a new link – Comments. We’ll come back to this in another post.

Going back to the scoreboard we see:

bodgeit_scoring_6

All of the login challenges are now complete (green)!