Hello there again, today I am exploring the topic of Broken Brute-Force Protection and IP Blocking. With this technique, an attacker can bypass any web security and continue their attack vector. Before launching an attack, you need to have basic knowledge of a few things. Brute force attack is the most common attack performed on web applications. In this attack, an attacker uses automation software or scripts to spray a list of usernames and passwords onto the login features of any web application. The list can contain thousands of usernames and passwords, and the attack works very quickly.
Developers implement brute force protection to stop the execution of this attack. They do so by adding each IP address to a blocklist from where multiple requests come in at the same time to perform login.
If the developer has not implemented brute force protection properly, the attacker can easily bypass it and successfully perform their attack. This failed security is known as “broken brute-force protection”.
I hope you understand the concept. Let’s now see the practical implementation of this in the lab.
So, let’s solve the lab by using the credentials already given to us.
Your credentials: wiener:peter Victim's username: carlosFirstly, we tried to enter random usernames and passwords to see what type of error the application shows. After entering random credentials, the application showed an “invalid username” error message.
We now know the error, but we don’t know how many login attempts we can make on the login page. It’s possible that brute force protection has been implemented. To check if brute force protection is present, we send the request to Burp Repeater and repeatedly send the request to see how many possible attempts we can make Broken brute-force protection. This will help us determine if brute force protection is in place.
I tried to login twice but when I sent the request for the third time, the server blocked my request. This suggests that the server allows only two login attempts and blocks further attempts.
Now, we can send this request to Intruder and use a list of usernames and passwords to perform a brute force attack. But wait, how can we perform a brute force attack when the server will block our attempts? The easy solution is to create a valid account before performing the test on the web application. In this lab, we were provided with a username “wiener”, victim’s username “carlos”, and password “peter”. We will use these credentials to perform the attack.
We need to perform a brute force attack on Carlos’ account by modifying the two lists we have been given, the list of usernames and the list of passwords, as we cannot use them directly due to the server’s brute force protection. We will create a new list of usernames, which will include our own username “wiener” first, followed by Carlos’ username, who is our victim.
ChatGPT is so smart, always utilize it and avoid manual work. Now I’m sending the request from repeater to Intruder. I’m marking both username and password. Then I’m selecting the attack type as Pitchfork. In the 1st payload, I’m adding all the usernames that I recently created. Now, we need a list of passwords which is already provided in the lab, but we need to modify it. Okay.
I asked ChatGPT to add “peter” before every password in the list, and he modified it for me. The official list of passwords from the lab is on the right, while the modified list is on the left. Now let’s add this as the 2nd payload list.
As you can see, we have successfully obtained Carlos’s password, which is showing as 302. This means we have successfully logged in to Carlos’s account.
Let’s overview the entire process:
In this vulnerability, an attacker can successfully bypass the brute-force protection by using an automation tool to send multiple login requests to the server. This increases the chances of the attacker being able to log in to a user or admin account.
Brute-force protection is implemented to prevent such attacks using automation tools.
The best practice is to use the error message received from the server when providing wrong credentials to determine the maximum number of login attempts allowed. Once you know how many attempts are allowed, you can proceed to the next step.
In our case, we found out that we can only attempt to log in twice before being blocked on the third attempt. We then sent the request to the intruder tool and marked the username and password fields, selecting the pitchfork attack type. In the first payload, we added the usernames, with the accurate username being first, and then added the burteforce list to the end of each username. In the password field, we used the same method, adding the accurate password to the accurate username and the burteforce list to the other usernames.
We then added one thread to the resource pool to avoid getting blocked by the server due to too many requests being sent at once.
That’s it, we’re done!
Follow us on Twitter @masaudsec.