• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item7923: Make it harder to crack user account

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Urgent Confirmed   patch 6.1.1

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

Originally reported by Alexander Hook:
User Account Hacking

There are two reasons why I am able to hack user accounts.

  1. There is No Lockout Mechanism ( rate limit ).
  2. Weak Password Policy

Description:

There is no mitigation, defenses in any way or a lockout mechanism in the login page. A malicious minded user can continually try to brute force an account password. I have tried to input 101 passwords (100 Wrong and One original Password) and I have not been locked out, tried the correct password in the 123456789 time and it login successfully.

As I observe on other websites they have a lock out mechanism if a user tries to input 20 incorrect passwords. So you should also have a lock out mechanism for user accounts security.

Note : Password easily found by Counter Length In your case status shown 302 while counter are the same all 100 wrong passwords but in original Password have different means anyone can access easily User Account Password.

My other point is you also have a weak password policy and i am able to take any password like this ''123456789'' which is a very weak password and can easily be guessed by an attacker

Proof of concept:

Attaching screenshots as a proof of concept in which you can see that after trying many random passwords there is no lock out mechanism and also it is easily identifiable which password is the correct one of the user account.

In the screenshot

Password easily found by Counter Length In your case status shown 302 while counter are the same all 100 wrong passwords and in original Password have different means anyone can access easily User Account Password.

you can see that I use more than 100 wrong passwords but still I am able to use the right password after 100 wrong password requests. So for the security reasons there should be a lock out mechanism after trying many wrong password requests. So an attacker will not be able to hack any user account by making random password requests and you also have a weak password policy so it is easy for an attacker to hack any user account.

Steps to Reproduce :

1.Go to login form. 2.Enter any registered email with the wrong password. 3.Capture the request & Send the request to Intruder and add a Payload Marker on the password value. 4.Add the payload for the password field having a list of more than 100 passwords or more for test and start attack.

BOOM!

Impact:

1- There is no lockout mechanism Attacker can Do a lot of Try attacker Can Brute force The Victim login details as i shown in the screen shots and got full access.

2- Weak password can be set like any weak numbers like ''123456789'' as password Which is not the good password policy So due to Both Vulnerability Attacker can Brute force the login detail and Plus point is Weak password policy Attacker can Hack Any account easily due to both Vulnerabilities.

This will be fixed and released in the upcoming patch release.

-- TWiki:Main/PeterThoeny - 2020-11-16

ItemTemplate
Summary Make it harder to crack user account
ReportedBy TWiki:Main.PeterThoeny
Codebase ~twiki4, 6.1.0
SVN Range TWiki-6.1.0-trunk, Thu, 05 Nov 2020, build 30858
AppliesTo Engine
Component

Priority Urgent
CurrentState Confirmed
WaitingFor

Checkins

TargetRelease patch
ReleasedIn 6.1.1
Topic attachments
I Attachment History Action Size Date Who Comment
PNGpng twiki_1.png r1 manage 109.7 K 2020-11-16 - 04:07 PeterThoeny  
PNGpng twiki_2.png r1 manage 170.5 K 2020-11-16 - 04:07 PeterThoeny  
PNGpng twiki_3.png r1 manage 154.7 K 2020-11-16 - 04:07 PeterThoeny  
PNGpng twiki_4.png r1 manage 153.2 K 2020-11-16 - 04:07 PeterThoeny  
Topic revision: r1 - 2020-11-16 - PeterThoeny
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback