Broken Brute-Force Protection, IP Block

Lab Description

Walkthrough

Step 1: Initial Observations

  • Upon visiting the login page, entering arbitrary credentials results in a rate-limiting error after multiple failed attempts, stating that you must wait 1 minute.

Step 2 : Analyzing the protection method

By testing further, I observed:

  1. The counter resets after a successful login.

  2. If I attempt two failed logins for one user and successfully log in as another user (wiener), the lockout mechanism resets for future attempts.

This behavior reveals a logic flaw in the brute-force protection:

  • The system resets the counter upon a successful login, allowing us to alternate between two users to bypass the lockout.

Step 3: Crafting the Attack

To exploit this logic flaw:

  1. Use the victim's username (carlos) and attempt to brute-force their password.

  2. Alternate the password attempts for carlos with a known valid login (wiener:peter) to avoid the lockout.

Modify the password list to repeat wiener's password after every incorrect attempt:

We use the provided password list and modify it to use wieners password after each line to trigger a successful login

2KB
passwords.txt

Step 4: Analyzing the Output

Once the attack finishes:

  1. Filter results for carlos and status code 302 Redirect.

  2. The 302 status code indicates a successful login, revealing the correct password for carlos

And then we can see carlos's password

PreviousUsername enumeration via response timingNextUsername enumeration via account lock

Last updated

Was this helpful?