Objective
Learn how to exploit weak password policies to gain unauthorized access to a web application and understand how strong password policies and secure hashing algorithms can prevent such attacks.
Scenario
You are evaluating the security of a simple web application with a login form. The application uses weak password policies and stores passwords insecurely. Your goal is to exploit this vulnerability using brute-force and dictionary attacks, then implement stronger security measures.
Lab Setup
Prerequisites:
- Basic knowledge of PHP and SQL.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP and MySQL support).
- A code editor (e.g., VSCode, Sublime Text).
Create the Vulnerable Web Application
Database Setup
Open phpMyAdmin and create a new database:
CREATE DATABASE weak_auth;Use the database:
USE weak_auth;Create a users table:
CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(50) NOT NULL,
password VARCHAR(50) NOT NULL
);Insert a weak user password:
INSERT INTO users (username, password) VALUES ('admin', '1234');PHP Script for Login Functionality
Create a file login.php:
<?php
session_start();
$conn = mysqli_connect("localhost", "root", "", "weak_auth");
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) > 0) {
$_SESSION['username'] = $username;
echo "<h2>Welcome, $username!</h2>";
} else {
echo "<h2>Invalid Credentials!</h2>";
}
}
?>
<form method="POST" action="">
Username: <input type="text" name="username" required><br>
Password: <input type="password" name="password" required><br>
<button type="submit" name="login">Login</button>
</form>Running the Application
- Start the Apache and MySQL servers.
- Place
login.phpin the web server’s root directory (htdocsfor XAMPP). - Open
http://localhost/login.phpin your browser.
Exploitation Steps
Step 1: Attempting Common Passwords
- Try logging in with:
- Username:
admin - Password:
1234
- Username:
Expected Result:
- Login is successful because the password is weak and stored in plaintext.
Step 2: Performing a Brute-Force Attack
Use a tool like Hydra to brute-force the login form:
hydra -l admin -P /usr/share/wordlists/rockyou.txt localhost http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid Credentials"Expected Result:
Hydra cracks the password 1234 quickly.
Solution and Prevention
Problem Analysis
- Passwords are stored in plaintext.
- Weak password policies allow easily guessable passwords.
Fixing the Vulnerability
Enforce Strong Password Policies
Implement minimum length and complexity checks:
if (strlen($password) < 8 || !preg_match("/[^a-zA-Z0-9]/", $password)) {
die("Password must be at least 8 characters long and include special characters.");
}Hash Passwords with bcrypt
Store passwords securely:
// During registration
$hashed_password = password_hash($password, PASSWORD_BCRYPT);
$query = "INSERT INTO users (username, password) VALUES ('$username', '$hashed_password')";
// During login
$query = "SELECT * FROM users WHERE username='$username'";
$result = mysqli_query($conn, $query);
$user = mysqli_fetch_assoc($result);
if ($user && password_verify($password, $user['password'])) {
$_SESSION['username'] = $username;
echo "<h2>Welcome, $username!</h2>";
} else {
echo "<h2>Invalid Credentials!</h2>";
}Implement Rate Limiting
Block repeated failed login attempts:
sleep(2); // Add delay after failed loginUse Multi-Factor Authentication (MFA)
Add another layer of security beyond passwords.
Testing After Fix
- Attempt to brute-force login again.
- Observe that bcrypt hashing, stronger password policies, and rate limiting make the attack impractical.
Conclusion
In this lab, you exploited weak password policies to bypass authentication through brute-force and dictionary attacks. You also implemented strong password policies, secure password hashing with bcrypt, and rate limiting to protect against these attacks.
0 Comments