Broken brute-force protection, multiple credentials per request

Lab Description

Walkthrough

Step 1: Analyzing the Behavior

After logging in with the provided credentials (wiener:peter), I attempted to brute-force the login by iterating through the candidate passwords. However, I encountered an account lockout message, indicating a brute-force protection mechanism was in place.

Upon inspecting the login request in Burp Suite, I noticed that the username and password were sent in JSON format:

This hinted that the server might accept an array of passwords instead of a single password.

Step 2: Bypassing the Protection

To exploit this vulnerability:

1. I modified the password field to include an array of candidate passwords:

The server responded with a 302 Found, redirecting me to Carlos's account. This confirmed that one of the passwords in the array was correct, and the system did not block the request due to brute-force protection.

Step 3: Verifying the Password

Since the exact password was not revealed in the response:

1. I forwarded the request to the browser using Burp Suite's "Request in browser in original session" feature.

2. I logged in successfully to Carlos's account.