6.1.2 Attacking HTTP Authentication
Last updated
Last updated
Basic HTTP authentication is a simple authentication mechanism used by web app and services to restrict access to certain resources and functionalities.
It usually based on username and password combination, however, it's important to remember that basic HTTP authentication isn't secure when used over and unencrypted connection (HTTP).
It should only be used over HTTPS to ensure that the credentials are transmitted securely.
When a client (usually web browser) makes a request to a protected resource on a server, the server responds with an Unauthorized status code (401) if the resource requires authentication.
The client constructs a string in the format username:password and encodes it in Base64, it includes this encoded string in an Authorization header.
In the response, the server includes a www-authenticate header with the value "Basic", it means that client has provides to access the resource.
When the server receives the request (with the authorization header), it decodes the Base64-encoded credentials, checks them against its database of authorized users and grants access if the credentials are valid (status code 200).
Using burp suite intruder is possible to attack username and password values (present into authorization request (decoded in base 64)
to do brute force attack via dictionary payload password, in addition we can add a prefix (admin) and encode all in Base64:
If we discover password, we decode it using burp suite decoder Base64 to plaintext.
Of course, we can perform the same attack for the username and password using Cluster bomb attack in burp suite intruder.
HTTP Digest Authentication is an authentication mechanism used in web apps and services to securely verify the identity of user that trying to access protected resources.
At difference of basic authentication, it has security limitations such as a challenge-response mechanism and hashing to protect user credentials during transmission.
It should only be used over HTTPS to ensure that the credentials are transmitted securely.
When a client (usually web browser) makes a request to a protected resource on a server, the server responds with an Unauthorized status code (401) if the resource requires authentication.
The client constructs a response using the following components: username, realm, password, nonce, request URI, HTTP, method, cnonce, qop, hashes (1 and 2).
In the response, the server receives the request with the authorization header and validates the response hash calculated by the client. If the hashes match, the server considers the client authenticated and grants access to the requested resource.
Using burp suite intruder is possible to capture http digest authentication
We can perform brute force attack for password using a dictionary and inserting: username value, <Target_IP>, method (http-get) and uri value (/digest/)
hydra -l admin -P wordlist/100-common-passwords.txt <Target_IP> http-get /digest/
and login with credentials found.