External Authentication Injection (revisited)

What is it again ?

tl;dr

It's applying folder level authentication to abuse web applications or client browsers, how you introduce it is based on understanding how you can abuse it.


When this attack can be used ?

Anywhere within an application that renders an external resource, this most commonly is fetched by the client but in some advanced web applications it may be handled by an reverse proxy or a parser that fetches resources on behalf of the user (under the authority of the application).

Client side examples:

Referencing an image for a header graphic or a profile picture, in-fact referencing anything from anywhere you can (useful for when applications have filetype whitelisting).

Server side examples:

Fetching resources on behalf of the client/users command perhaps before presenting to the user (or not)

any functionality that calls an external resource using the applications account/permissions

Client Examples:

Auth Injection Client

Auth Injection XP (old)

Server Examples:

Auth Injection Godaddy

Auth Injection Troy

Note for Pentesters:

When on a web application assessment if you find XXE,SSRF ...infact any 'External HTTP (or SMB?) Interaction in your application it's always worth pointing your 'external' to a authentication challenge, you'll be surprised how many applications respect 'off domain' or untrusted zones when asked for credentials

Tools to assist:

SpiderLabs Responder (NTLM & Basic Auth capability + more)

Metasploit Basic Auth

Metasploit HTTP NTLM Auth


The Skinny;

It's more rewarding if the server hands over it's credentials... but the client side injection could be useful for phishing where there is no ability to use javascript, altho your target would have to be pretty ...bad at internet.