top of page
Search

Hack the box OWASP Top 10: Baby Auth

  • carocsteads
  • Feb 13, 2025
  • 2 min read

Updated: Dec 9, 2025

Baby Auth:

Synopsis:  Broken Authentication leads to account takeover.

Skills Required:

  1. Basic understanding of web application vulnerabilities.

  2. Ability to analyze and understand source code.

  3. Familiarity with the HTTP protocol.

  4. Knowledge of basic scripting using a programming language such as Python.

Skills Learned:

  1. Understanding the Broken Authentication vulnerability.

  2. Familiarity with the process of exploiting a web application vulnerability.

  3. Experience in analyzing and understanding source code to identify vulnerabilities.


The exercise: Who needs session integrity these days?



Analysis:

The first clue is in the exercise description. Another clue is in the tab titled "Broken Authentication."


We explore the app by registering a new member with username test and password test.



Log in with the new credentials.

The following message indicates that there is a way to determine whether a user is an admin. Let's examine the messages using Burp Suite.



Check the get message in Burp Suite. There is a PHPSESSID; decode it as Base64.


Copy the session PHPSESSID eyJ1c2VybmFtZSI6InRlc3QifQ to the Decoder tab and decode it as Base64.



The result is {"username":"test"}

Change the username test to admin and encode base64 -> eyJ1c2VybmFtZSI6ImFkbWluIn0=



Send the get/ message to repeater and change the cookie: PHPSESSID for the new session id response code is 200



Go to the website to replace the cookie and refresh the page.




How to prevent broken authentication and account takeover:


  • Require strong, unique passwords

Enforce password complexity (e.g., 12+ characters, mix of letters, numbers, symbols).

Use password blacklists to prevent weak or commonly used passwords.

To ensure users create strong passwords, implement an effective password policy, such as zxcvbn (Dropbox’s password strength estimator).

  • Implement rate limiting on authentication endpoints

Limit failed login attempts (e.g., 5 attempts per 15 minutes).

Use progressive delays or CAPTCHA after multiple failures.

Block IPs with excessive failed logins to prevent brute-force attacks.

  • Take care of user credentials

Never send login data over unencrypted connections; always use TLS to secure authentication requests.

Store credentials securely using hashed and salted passwords (bcrypt, Argon2).

  • Prevent user enumeration

Use generic error messages for failed logins (e.g., “Invalid credentials”) to prevent attackers from distinguishing valid and invalid usernames.

Ensure login, registration, and password reset flows do not expose whether an account exists.

Recent Posts

See All
Automating Privileged Access Management:

A QA Engineer's Journey with Apache Guacamole By Carolina Steadham  | QA Automation Engineer Introduction In today's cybersecurity landscape, privileged access management (PAM) is critical for protect

 
 
 
🔧 Self-Healing Locators

Transform Flaky Tests into Resilient Automation By Carolina Steadham | QA Automation Engineer 📚 About This Project The Selenium TestNG Automation Framework is a comprehensive learning platform desi

 
 
 

Comments

© 2023 by Carolina Steadham. All rights reserved.

bottom of page