A2 - Broken Auth. & Session Mgmt(失效的身份认证和会话管理)
- Broken Authentication - CAPTCHA Bypassin
- Broken Authentication - Forgotten Function
- Broken Authentication - Insecure Login Forms
- Broken Authentication - Logout Management
- Broken Authentication - Password Attacks
- Broken Authentication - Weak Passwords
- Session Management - Administrative Portals
- Session Management - Cookies (HTTPOnly)
- Session Management - Cookies (Secure)
- Session Management - Session ID in URL
- Session Management - Strong Sessions
Broken Authentication - CAPTCHA Bypassin
验证码绕过,且验证码没有时间限制,所以提交一次验证码后,可以暴力破解用户名和密码
Broken Authentication - Forgotten Function
low
暴力破解邮箱,上字典往出跑
medium
// Security level MEDIUM
// Mails the secret
if($_COOKIE["security_level"] == "1")
{
if($smtp_server != "")
{
ini_set( "SMTP", $smtp_server);
// Debugging
// $debug = "true";
}
$secret = $row->secret;
// Sends a mail to the user
$subject = "bWAPP - Your Secret";
$sender = $smtp_sender;
$content = "Hello " . ucwords($login) . ",\n\n";
$content.= "Your secret: " . $secret . "\n\n";
$content.= "Greets from bWAPP!";
$status = @mail($email, $subject, $content, "From: $sender");
if($status != true)
{
$message = "<font color=\"red\">An e-mail could not be sent...</font>";
// Debugging
// die("Error: mail was NOT send");
// echo "Mail was NOT send";
}
else
{
$message = "<font color=\"green\">An e-mail with your secret has been sent.</font>";
}
}
$content = "Hello " . ucwords($login) . ",\n\n";
$content.= "Your secret: " . $secret . "\n\n";
$content.= "Greets from bWAPP!";
安全问题会发送邮箱
high
// Security level HIGH
// Mails a reset code
if($_COOKIE["security_level"] == "2")
{
if($smtp_server != "")
{
ini_set( "SMTP", $smtp_server);
// Debugging
// $debug = "true";
}
// 'Reset code' generation
$reset_code = random_string();
$reset_code = hash("sha1", $reset_code, false);
// Debugging
// echo $reset_code;
// Sends a reset mail to the user
$subject = "bWAPP - Change Your Secret";
$server = $_SERVER["HTTP_HOST"];
$sender = $smtp_sender;
$email_enc = urlencode($email);
$content = "Hello " . ucwords($login) . ",\n\n";
$content.= "Click the link to reset and change your secret: http://" . $server . "/bWAPP/secret_change.php?email=" . $email_enc . "&reset_code=" . $reset_code . "\n\n";
$content.= "Greets from bWAPP!";
$status = @mail($email, $subject, $content, "From: $sender");
if($status != true)
{
$message = "<font color=\"red\">An e-mail could not be sent...</font>";
// Debugging
// die("Error: mail was NOT send");
// echo "Mail was NOT send";
}
else
{
$sql = "UPDATE users SET reset_code = '" . $reset_code . "' WHERE email = '" . $email . "'";
// Debugging
// echo $sql;
$recordset = $link->query($sql);
if(!$recordset)
{
die("Error: " . $link->error);
}
// Debugging
// echo "<br />Affected rows: ";
// printf($link->affected_rows);
$message = "<font color=\"green\">An e-mail with a reset code has been sent.</font>";
}
}
}
else
{
if($_COOKIE["security_level"] != "1" && $_COOKIE["security_level"] != "2")
{
$message = "<font color=\"red\">Invalid user!</font>";
}
else
{
$message = "<font color=\"green\">An e-mail with a reset code has been sent. Yeah right :)</font>";
}
}
}
}
// 'Reset code' generation
$reset_code =