External Authentication Injection – What is it?
It’s applying folder level authentication to abuse web applications or client browsers, how you introduce it is based on understanding how you can abuse it.
When this attack can be used?
Anywhere within an application that renders an external resource, this most commonly is fetched by the client but in some advanced web applications, it may be handled by a reverse proxy or a parser that fetches resources on behalf of the user (under the authority of the application).
Where might I fall victim?
you might also fall victim if you let customers/visitors reference external resources such as a comment function that allows you to ‘hotlink‘ images (or any resource).
and if you host an application that fetches untrusted resources and hasn’t explicitly blocked sending authentication outside of trusted zones.
Referencing an image for a header graphic or a profile picture, in-fact referencing anything from anywhere you can (useful for when applications have filetype whitelisting).
Fetching resources on behalf of the client/users command perhaps before presenting to the user (or not)
Any functionality that calls an external resource using the applications account/permissions
Auth Injection Client https://www.youtube.com/watch?v=57tmGl3wLzw
Auth Injection XP (old) https://www.youtube.com/watch?v=3gkeQfCNmjo
Auth Injection Godaddy https://www.youtube.com/watch?v=8cZC35MI6D4
Auth Injection ASAFA Web https://www.youtube.com/watch?v=YvCYDtVY__8
Note for Pentesters:
When on a web application assessment if you find XXE,SSRF …in fact any ‘External HTTP (or SMB?) Interaction in your application it’s always worth pointing your ‘external’ to an authentication challenge, you’ll be surprised how many applications respect ‘off domain’ or untrusted zones when asked for credentials. much pwn.
Tools to assist:
SpiderLabs Responder (NTLM & Basic Auth capability + more https://github.com/SpiderLabs/Responder
Metasploit HTTP NTLM Auth https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/capture/http_ntlm.rb
Additionally, you could be less intrusive and use image canaries, this wouldn’t yield credentials but would give insight to activity, better for tracking and triggering honeypots – I’ll write more about canaries later.