Authentication Bypass -TryHackMe

Writeup

Hello, Amazing fellow hackers welcome back for a new write-up on authentication writeup on Tryhackme room. So let’s discuss the concept.

Authentication bypass is the critical type of vulnerability that leads to exposure of sensitive information of legitimate persons.

Username Enumeration:

Username enumeration is the concept in which used to gather the information of a particular email address/username that was already registered by them.

Ffuf is the best tool that is used for brute-forcing and enumeration so on. By using the Ffuf tool we can make username enumeration as effective as.

At first, go to the target address signup page enter the username as admin and follow your details, and click signup which gave me an error that “An account with this username already exists”. By making use of this error which helps to find valid usernames.

For this I use the command:

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d “username=FUZZ&email=x&password=x&cpassword=x” -H “Content-Type: application/x-www-form-urlencoded” -u http://Target_address/customers/signup -mr “username already exists”

And the result is: