DAY 2: Broken authentication

Please note: This is part two of a 10-part series on TryHackMe OWASP top 10 room

This vulnerability is currently renamed to Identification and Authentication Failures on owasp.org.

Authentication is the process of verifying a user’s identity. Broken authentication vulnerability occurs when the web application has flaws in the authentication mechanism, allowing for activities such as brute force, credential stuffing, use of weak credentials e.g admin/password for username and password, allowing for multiple failed login attempts, among others. These flaws can be exploited to allow an attacker unauthorized access to sensitive data.

LAB 2: Broken Authentication

The challenge is pretty simple; Try to exploit a logic flaw in the web app.

The web app in this lab does not sanitize user input. This allows one to re-register a user by just adding a blank space to their username. The web app will accept the input unsanitized, giving you the same access privileges as the legitimate user.

The challenge requires for re-registration of a user “darren”.

Trying to register them shows that the user already exists

Abuse the broken authentication by adding user “ darren” (note the space before the name), then attempt to log in with the new username and password.

You are successfully logged in and have access to information that the original user darren would see

The challenge requires doing the same with a user named arthur in order to find the second flag.