Logical Authentication Bypass Vulnerability

28th September 2015 morning I received an Email from my colleague, Email says to perform a Penetration Test on Android Application of a Bank called "ABC" (For security reasons not disclosing the name of the Application). Time limit was short as I have to complete the test & report in 2 days. So I looked for Critical vulnerability. One day passed & I checked for maximum Injections & Session managements vulnerability but there was no luck.

After giving some thought to the application I lose hope & started making report suddenly I my eye have a glimpse of Authentication Request that was going to Server.

Now, for understanding the request you have to understand the login functionality of the application. So developers of this app was trying to be smart as they were asking for Password & Memorable Keyword at the time of registration, for access your account in the app using some security policy like :
1. At least 8 characters password.
2. Password must contain One Upper Letter & One Lower Letter. 

But at the time of login the developers thought it will be more secure if the app ask for these three conditions for successful signin to account:
1. Email ID
2. 3-Given Positions Of Memorable Keyword

3. 3- Given Positions Of Password

The security trick used by developers was great but on the other hand its weaken the password & Memorable Word strength from 8 character to 3 random character.

so, as the characters was less 3 memorable words & password that can be Brute force easily like its only takes 26x26x26 permutation & combinations but matching with each other may took days. So brute forcing was not the plan.

Now, Find The Bug...!!!

The authentication request was showing :
1. Email ID
2. 3-Given Positions Of Memorable Keyword
3. 3- Given Positions Of Password

But, the developers biggest mistake was, The request was also showing places <PINSeq>{3,4,7} & <PwDSeq> {2,3,5} in the request.

Automatically a thought came to my mind what If I change the  <PINSeq>{3,4,7} & <PwDSeq> {2,3,5} to <PINSeq>{1,1,1} & <PwDSeq> {1,1,1} so I forged the same Request with <PIN>{1,1,1} & <PwDSeq> {1,1,1}  followed by Memorable word and Password  <PIN>qqq & <PwD>qqq  then send it to the server, as my test account password was :
MW : qWerty123
PW :  queEn123

so, first position of the memorable word & password will be "q"  hence <PIN>qqq & <PwD>qqq 
After forwarding the request to the server I got 200 OK Response & Boolean True in Response.

So Finally My test was successful & my problem was solved of permutation & combination of 26x26x26 memorable words & password matching....

As I am successfully able to edit sequence, I can fixed it to place 1,1,1 means first letter of password & memorable word.

Now only my task was to find 3 letter password & Memorable word  that automatically become easy because as the sequence / place of password & Memorable word was 1,1,1  I only have to find 26+26 password & Memorable word.

Eg. Position 1,1,1 is fixed for password & Memorable word
& victim password & Memorable word always starts with letter :
{ a,b,c,d,e,f,g,h,i,j,h,i,j,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z }
so, I have to brute force place like :

Now, thinking of this logic I took Burp Suite Intruder tool for my benefit...
Firstly I requested my test account handler to change the Password so I can test my Authentication bypass theory.


1. I forward the original request to Intruder with victim Email ID.
2. Changed the pin sequence <PINSeq>{1,1,1} & <PwDSeq> {1,1,1}

3. mark the place & add payload from a,b,c,..........z

4. Launch the 26 character brute-force attack for first letter of Memorable word...

Response was 200 OK with Boolean True at <IsPinValid>

SO, The new Memorable word was clear, it was "c,c,c" = "c"

5. Launch the 26 character brute-force attack for first letter of Password...

Response was 200 OK with Boolean True at <IsPwdValid>

SO, The new Password's first letter was "r,r,r" = "r"

6. Now finally I have the first letter of Memorable word & password, "c" & "r" Respectively. So I started login to the app. At login page I intercept the HTTP Request & edit all the information pin sequence <PINSeq>{3,4,7} & <PwDSeq> {2,3,5} to <PINSeq>{1,1,1} & <PwDSeq> {1,1,1} followed by memorable word <pin>ccc<pin> & password <pwd>rrr</pwd>
and forward the request to server.....

Got 200 OK In Response with Boolean <IsPINValid>true</IsPINValid> & <IsPwdValid>true</IsPwdValid>

Successful Login ....:)


-Raghav Bisht