External Authentication Injection – What is it?

It’s applying folder level authentication to abuse web applications or client browsers, how you introduce it is based on understanding how you can abuse it.

When this attack can be used?

Anywhere within an application that renders an external resource, this most commonly is fetched by the client but in some advanced web applications, it may be handled by a reverse proxy or a parser that fetches resources on behalf of the user (under the authority of the application).

Where might I fall victim?

If you’re an organisation using third-party resources, this would be a good attack position for an attacker to maximise opportunity, say your images or video’s where hosted elsewhere, an attacker controlling this location would impact all visitors, obviously if they took the CDN they might be more interested in manipulating the javascript hosted but that’s a different issue, under the same umbrella of third-party assurance and accountability.

you might also fall victim if you let customers/visitors reference external resources such as a comment function that allows you to ‘hotlink‘ images (or any resource).

and if you host an application that fetches untrusted resources and hasn’t explicitly blocked sending authentication outside of trusted zones.

Client-side examples:
Referencing an image for a header graphic or a profile picture, in-fact referencing anything from anywhere you can (useful for when applications have filetype whitelisting).

Server-side examples:
Fetching resources on behalf of the client/users command perhaps before presenting to the user (or not)

Any functionality that calls an external resource using the applications account/permissions

Client Examples:
Auth Injection Client https://www.youtube.com/watch?v=57tmGl3wLzw

Auth Injection XP (old) https://www.youtube.com/watch?v=3gkeQfCNmjo

Server Examples:
Auth Injection Godaddy https://www.youtube.com/watch?v=8cZC35MI6D4

Auth Injection ASAFA Web https://www.youtube.com/watch?v=YvCYDtVY__8

Note for Pentesters:
When on a web application assessment if you find XXE,SSRF …in fact any ‘External HTTP (or SMB?) Interaction in your application it’s always worth pointing your ‘external’ to an authentication challenge, you’ll be surprised how many applications respect ‘off domain’ or untrusted zones when asked for credentials. much pwn.

Tools to assist:
SpiderLabs Responder (NTLM & Basic Auth capability + more https://github.com/SpiderLabs/Responder

Metasploit Basic Auth https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/capture/http_basic.rb

Metasploit HTTP NTLM Auth https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/capture/http_ntlm.rb

The Skinny;
It’s more rewarding if the server hands over its credentials… but the client side injection could be useful for phishing where there is no ability to use javascript, altho your target would have to be pretty …bad at the internet.


Additionally, you could be less intrusive and use image canaries, this wouldn’t yield credentials but would give insight to activity, better for tracking and triggering honeypots – I’ll write more about canaries later.