[Penetration Testing] Web-side Posture-Front-end Utilization

Enterprise 2023-06-19 06:46:32 views: null

Table of contents

front end

There is a problem

About Password Reset

jwt attack

jwt introduction

tool use

source of learning

front end

There is a problem

Any user registration

Unauthorized access, direct access to the corresponding link, you can get system permissions
Blasting user name
Blasting user name, password
User name injection
Master password
User name Xss
Modify return package information, log in to other accounts
Modify parameters in cookies, such as user, adminid and other
background The login parameters are changed to registration parameters /reg, /register, /sign, etc.

After the verification code is sent, it is echoed into the return data packet
. If the login fails, the return packet is modified, for example, "false" is changed to "true", and the response value "0" is changed to "1", and the login background. If these situations exist, the general front-end Js and Html can also directly find the various unauthorized access interfaces corresponding to the back-end
Js and Html, which have annotation information such as user name and password.
According to the system, search for the default account password corresponding to the system to log in.
Some systems have empty passwords. , leave the password blank or send it blank after capturing the packet. If
there is information leakage, you can go to the social engineering database to find the corresponding password. There is no registration function on the page, and the verification code is not done when
you find the hidden registration interface through Js or Html to register and log in.
Good binding, delete the verification code parameter, or the verification code parameter is empty, you can register. The
verification code is not bound, the verification code is sent but the backend receives any verification code, you can register, blast, reset the password, etc.

Social Engineering Dictionary Password GeneratorGitHub - zgjx6/SocialEngineeringDictionaryGenerator: Social Engineering Password Generator, a tool that uses personal information to generate passwords (html side)

GitHub - Mebus/cupp: Common User Passwords Profiler (CUPP)(Linux工具)

About Password Reset

The verification code is not invalid: blasting the verification code

Reset an account, do not send a verification code, set the verification code to be empty and send a request.

Send the verification code, check the corresponding package, and see the verification code in the package
Explosion of the lifetime of the verification code Modify the
corresponding package as a successful corresponding package and send it
Skip the verification step: first modify the password normally, and enter the password after recording the verification code The page information, such as url, and then re-enter the user name, enter the url on the verification code page to jump to the password modification page for modification.
Verification code is not bound user: two accounts, when resetting someone else’s password, replace the verification code with your own correct verification code
When resetting someone else’s password, capture the packet and replace the mobile phone number with your own mobile phone number or email address
to reset your own When successful, agree that the browser resets other people's, without sending a verification code.
Replace user name, ID, cookie, token parameters and other authentication parameters.
Reset by modifying other people's retrieved information such as mobile phone/email without authority 

Parameter hiding: Capture packets when entering the user name, copy the user parameters, enter the correct password to protect and jump to the password modification page, enter the password to modify the interception data packet and find that the user parameters are not visible, add the user parameters in front of the password, and modify the parameter value If you set the parameter value for others, you can modify other people's passwords.

Reference from: (3 messages) Logic Vulnerability - Password Reset_J0hnson666's Blog-CSDN Blog_Password Reset Vulnerability

jwt attack

jwt introduction

JSON Web Token (JWT) is an open standard (RFC 7519) for securely representing claims between two parties.
JWT is a stateless authentication mechanism, usually used for authorization and information exchange. JWT only uses algorithms to verify the validity of Token, and does not rely on databases, Memcached and other storage systems, so cross-server verification can be achieved. As long as the keys and algorithms are the same, Tokens generated by different server programs can verify each other. Once we master Once the token is constructed, any known user can be imitated to operate .

jwt structure: header (header), payload (payload), signature (signature). The usual form is: xxxxx.yyyyy.zzzzz.

Header : The header is used to describe the most basic information about the JWT, and usually consists of two parts: the type of token (ie JWT) and the signature algorithm used. For example: { "alg": "HS256", "typ": "JWT" ​​}. Alg represents the encryption method, modify the user name and other identity authentication places, set HS256 to none to generate a token sending request , and use python's pyjwt module

Payload : The second part of the token is the payload, which places some basic information about the token to help the server that accepts it understand the token. At the same time, it can also contain some custom information, user information exchange. For example: { "sub": "1234567890", "name": "John Doe", "admin": true }

Signature : To create the signature part, you have to take the encoded header, the encoded payload, the key, the algorithm specified in the header, and sign it.
For example, if you want to use the HMAC SHA256 algorithm, the signature will be created by:

HMACSHA256(base64UrlEncode(header) + "." +base64UrlEncode(payload),secret)

The signature is used to verify that the message has not been altered throughout, and in the case of tokens signed with a private key, it also verifies that the sender of the JWT is who it says it is.

JSON Web Tokens - jwt.io

 

For unsigned jwt: After decoding the original JWT string, modify the user name and other identity authentication places, and generate a new token to send the request

tool use

jwt_tools:

GitHub - ticarpi/jwt_tool: A toolkit for testing, tweaking and cracking JSON Web Tokens

Download and configure:

$ git clone https://github.com/ticarpi/jwt_tool
$ python3 -m pip install termcolor cprint pycryptodomex requests
$ cd jwt_tool
$ python3 jwt_tool.py -h
$ python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6InVzZXIiLCJpYXQiOjE1MTYyMzkwMjJ9.1rtMXfvHSjWuH6vXBCaLLJiBghzVrLJpAQ6Dl5qD4YI -d /usr/share/wordlists/dirb/common.txt -C

There are vulnerability exercises in the corresponding shooting range webgoat, which can be tested.

source of learning

Summary of Web Login Authentication Vulnerabilities | Technical Selection 0137 (qq.com)

JWT Attack Manual - Bypass - Blog Garden (cnblogs.com)

Guess you like

Origin blog.csdn.net/weixin_52450702/article/details/128725266
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com