Broken Brute-Force Protection, IP Block
Lab Description

Walkthrough
Step 1: Initial Observations
Upon visiting the login page, entering arbitrary credentials results in a rate-limiting error after multiple failed attempts, stating that you must wait 1 minute.

Step 2 : Analyzing the protection method
By testing further, I observed:
The counter resets after a successful login.
If I attempt two failed logins for one user and successfully log in as another user (wiener), the lockout mechanism resets for future attempts.
This behavior reveals a logic flaw in the brute-force protection:
The system resets the counter upon a successful login, allowing us to alternate between two users to bypass the lockout.
Step 3: Crafting the Attack
To exploit this logic flaw:
Use the victim's username (
carlos
) and attempt to brute-force their password.Alternate the password attempts for
carlos
with a known valid login (wiener:peter
) to avoid the lockout.
Modify the password list to repeat wiener's password after every incorrect attempt:

We use the provided password list and modify it to use wieners password after each line to trigger a successful login

Step 4: Analyzing the Output
Once the attack finishes:
Filter results for
carlos
and status code 302 Redirect.The 302 status code indicates a successful login, revealing the correct password for
carlos

And then we can see carlos's
password

Last updated
Was this helpful?