28th September 2015
morning I received an Email from my colleague, Email says to perform a Penetration Test on Android
Application of a Bank called "ABC" (For security reasons not disclosing
the name of the Application). Time limit was short as I have to complete the
test & report in 2 days. So I looked for Critical vulnerability. One day
passed & I checked for maximum Injections & Session managements
vulnerability but there was no luck.
After giving some
thought to the application I lose hope & started making report suddenly I
my eye have a glimpse of Authentication Request that was going to Server.
Now, for understanding
the request you have to understand the login functionality of the application.
So developers of this app was trying to be smart as they were asking for
Password & Memorable Keyword at the time of registration, for access your
account in the app using some security policy like :
1. At least 8 characters password.
2. Password must contain One Upper Letter & One
Lower Letter.
But at the time of login the developers thought it will be more secure if the app ask for these three conditions for successful signin to account:
1. Email ID
2. 3-Given Positions Of Memorable Keyword
3. 3- Given Positions Of Password
The security trick used by developers was great
but on the other hand its weaken the password & Memorable Word strength
from 8 character to 3 random character.
so, as the characters was less 3 memorable words
& password that can be Brute force easily like its only takes 26x26x26
permutation & combinations but matching with each other may took days. So
brute forcing was not the plan.
Now, Find The Bug...!!!
The authentication request was showing :
1. Email ID
2. 3-Given Positions Of
Memorable Keyword
3. 3- Given Positions Of
Password
But, the developers biggest mistake was, The request was also showing places <PINSeq>{3,4,7} & <PwDSeq> {2,3,5} in the request.
Automatically a thought came to my mind what If I
change the <PINSeq>{3,4,7}
& <PwDSeq> {2,3,5} to <PINSeq>{1,1,1} & <PwDSeq>
{1,1,1} so I forged the same Request with <PIN>{1,1,1} & <PwDSeq>
{1,1,1} followed by Memorable
word and Password <PIN>qqq &
<PwD>qqq then send it to the
server, as my test account password was :
MW : qWerty123
PW : queEn123
so, first position of the memorable word & password will be "q" hence <PIN>qqq
& <PwD>qqq
After forwarding the request to the server I got
200 OK Response & Boolean True in Response.
So Finally My test was successful & my problem was solved of
permutation & combination of 26x26x26 memorable words & password
matching....
As I am successfully able to edit sequence, I can fixed it to
place 1,1,1 means first
letter of password & memorable word.
Now only my task was to find 3 letter password & Memorable
word that automatically become easy because as the sequence / place of
password & Memorable word was 1,1,1 I only have to find 26+26 password & Memorable word.
Eg. Position 1,1,1 is
fixed for password & Memorable word
& victim password & Memorable word always starts with
letter :
{ a,b,c,d,e,f,g,h,i,j,h,i,j,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z }
so, I have to brute force place like :
{aaa,bbb,ccc,ddd,eee,fff,ggg,hhh,iii,jjj,kkk,lll,mmm,nnn,ooo,ppp,qqq,rrr,sss,ttt,uuu,
vvv,www,xxx,yyy,zzz}
Now, thinking of this logic I took Burp Suite Intruder tool for my
benefit...
Firstly I requested my test account handler to change the Password
so I can test my Authentication bypass theory.
Then,
1. I forward the original request to Intruder
with victim Email ID.
2. Changed the pin sequence <PINSeq>{1,1,1}
& <PwDSeq> {1,1,1}
3. mark the place & add payload from
a,b,c,..........z
4. Launch the 26 character brute-force attack
for first letter of Memorable word...
Response was 200 OK with Boolean True at <IsPinValid>
SO, The new Memorable word was clear, it was "c,c,c"
= "c"
5. Launch the 26 character brute-force attack
for first letter of Password...
Response was 200 OK with Boolean True at <IsPwdValid>
SO, The new Password's first letter was "r,r,r"
= "r"
6. Now finally I have the first letter of Memorable word & password, "c" & "r" Respectively. So I started login to the app. At login page I intercept the HTTP Request & edit all the information pin sequence <PINSeq>{3,4,7} & <PwDSeq> {2,3,5} to <PINSeq>{1,1,1} & <PwDSeq> {1,1,1} followed by memorable word <pin>ccc<pin> & password <pwd>rrr</pwd>
and forward the request to server.....
Got 200 OK In Response with Boolean <IsPINValid>true</IsPINValid> & <IsPwdValid>true</IsPwdValid>
Successful Login ....:)
Thanks...!!!!!!
-Raghav Bisht