Login to RSSO link doesnot help to identify that user is locked after n number of unsuccessful attempt to url . There is no way to end user that user has been locked.
Either there should be some popup that xyz user has been locked as n number of attempts were made for login id . Either password or username doesn't match.
The same way we have in other web based application
Insufficient Anti-Automation vulnerability occurs when a web form does not have a sufficient protection against automated requests and Brute-Force attacks. This vulnerability might expose the system to two main attack vectors:
During the test, it was found that the system does not implement proper protection against automated requests and Brute-force attack.
In order to perform the attack, follow the next steps:
- Access https://xxxxsso-uat.corp.axxxx.com/rsso/admin
- Capture a login request with an intercepting proxy (e.g. BurpSuite).
- Use a Brute-force mechanism in order to send multiple requests.
When one of the server responses returns a different length of response, we can know that this is a successful login request.
The following screenshot shows over 1000 requests to the server being sent automatically:
- It is recommended to create a throttling mechanism that does not allow a user to create more than X similar sensitive requests in a Y period of time interval (e.g. 5 requests in 2 minutes).
- It is recommended to implement an incrementing time delay mechanism upon consecutive failed logon requests attempted with the same username. For example: after 10 failed logon requests with a specific user, the server will respond with a 1 second delay. For every 10 additional failed logon attempts the delay will further be incremented by 1 second capped at 5-10 seconds. This will greatly impact Brute-Force attacks and won’t be very noticeable by legitimate users.