Authentication Lab Walk-throughs

The Authentication Lab is a selection of challenges all related to authentication or authorisation. They are all taken, in some way, from real world examples I've come across during tests or have been suggested by other testers.

You can play the latest version of all the challenges in my Authentication Lab or grab the code from GitHub and build your own lab. The lab is written in Golang and should be fairly easy to install and get running.

The rest of this site contains further information and a walk-through of each of the challenges in the lab, I recommend giving the challenges a go then coming back here if you are having problems or to see whether your solution matches mine.

IP Based Auth Bypass

Find the deliberate IP based authentication bypass.

Go to the challenge

Show Walk-through

Timing Attacks

Sometimes even the best login system can leak information through side-channels.

Go to the challenge

Show Walk-through

Client Side Auth

Never trust anything coming from the user, especially authentication.

Go to the challenge

Show Walk-through

Leaky JWT

See how easy it is to leak information in a JWT.

Go to the challenge

Show Walk-through

CVE-2019-7644 - JWT Signature Disclosure

Sometimes all it takes is a little information disclosure to break an authentication system.

Go to the challenge

Show Walk-through

User Agents

This challenge is similar to the Client Side challenge where the server assumes that the client can be trusted and bases its authentication decisions on what the client tells it.

Go to the challenge

Show Walk-through

JWT None

Sometimes when attacking JWTs you do not need to worry about messing with signatures, you can just remove them entirely and the server will still accept the token.

Auth0 found this out recently, when a researcher noticed that if you set the signature algorithm to "None", the signature was not required. You can read their blog post here: JSON Web Token Validation Bypass in Auth0 Authentication API.

One thing to note, they did appear to know about this attack as they were doing a case sensitive check for the algorithm "none" and rejecting those requests, but any variation on that, for example "None" was accepted. A very good reason why deny lists are not always the best approach.

Go to the challenge

Show Walk-through

Cracking JWT keys

If you can crack the secret key used by the HMAC when signing a JWT, you are free to sign your own tokens and so mess with the claims as much as you want. This lab takes you through the process of cracking four different secret keys.

The walk through will demonstrate using both John the Ripper and Hashcat.

Go to the challenge

Show Walk-through

Support The Site

I don't get paid for any of the projects on this site so if you'd like to support my work you can do so by using the affiliate links below where I either get account credits or cash back. Usually only pennies, but they all add up.