Skip navigation

Login to RSSO doesnot update if user is locked

score 0
You have not voted. Not Planned

Login to RSSO link doesnot help to identify that user is locked after n number of unsuccessful attempt to url . There is no way to end user that user has been locked.

Either there should be some popup that xyz user has been locked as n number of attempts were made for login id . Either password or username doesn't match.

The same way we have in other web based application

 

Vulnerability Description

Insufficient Anti-Automation vulnerability occurs when a web form does not have a sufficient protection against automated requests and Brute-Force attacks. This vulnerability might expose the system to two main attack vectors:

  • DoS
  • Brute-Force

Vulnerability Details

During the test, it was found that the system does not implement proper protection against automated requests and Brute-force attack.

In order to perform the attack, follow the next steps:

When one of the server responses returns a different length of response, we can know that this is a successful login request.

 
 

 

Screenshot

The following screenshot shows over 1000 requests to the server being sent automatically:

  

Recommended Rectification

  • It is recommended to create a throttling mechanism that does not allow a user to create more than X similar sensitive requests in a Y period of time interval (e.g. 5 requests in 2 minutes).
  • It is recommended to implement an incrementing time delay mechanism upon consecutive failed logon requests attempted with the same username. For example: after 10 failed logon requests with a specific user, the server will respond with a 1 second delay. For every 10 additional failed logon attempts the delay will further be incremented by 1 second capped at 5-10 seconds. This will greatly impact Brute-Force attacks and won’t be very noticeable by legitimate users.

Comments

Vote history