• Do not
register here on develop.twiki.org, login with your twiki.org account.
• Use Item7848
for generic doc work
for TWiki-6.1.1. Use Item7851
for doc work on extensions
that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
Item7923: Make it harder to crack user account
Item Form Data
Originally reported by Alexander Hook:
User Account Hacking
There are two reasons why I am able to hack user accounts.
There is no mitigation, defenses in any way or a lockout mechanism in the login page. A malicious minded user can continually try to brute force an account password. I have tried to input 101 passwords (100 Wrong and One original Password) and I have not been locked out, tried the correct password in the 123456789 time and it login successfully.
As I observe on other websites they have a lock out mechanism if a user tries to input 20 incorrect passwords. So you should also have a lock out mechanism for user accounts security.
Note : Password easily found by Counter Length In your case status shown 302 while counter are the same all 100 wrong passwords but in original Password have different means anyone can access easily User Account Password.
My other point is you also have a weak password policy and i am able to take any password like this ''123456789'' which is a very weak password and can easily be guessed by an attacker
Proof of concept:
Attaching screenshots as a proof of concept in which you can see that after trying many random passwords there is no lock out mechanism and also it is easily identifiable which password is the correct one of the user account.
In the screenshot
Password easily found by Counter Length In your case status shown 302 while counter are the same all 100 wrong passwords and in original Password have different means anyone can access easily User Account Password.
you can see that I use more than 100 wrong passwords but still I am able to use the right password after 100 wrong password requests. So for the security reasons there should be a lock out mechanism after trying many wrong password requests. So an attacker will not be able to hack any user account by making random password requests and you also have a weak password policy so it is easy for an attacker to hack any user account.
Steps to Reproduce :
1.Go to login form.
2.Enter any registered email with the wrong password.
3.Capture the request & Send the request to Intruder and add a Payload Marker on the password value.
4.Add the payload for the password field having a list of more than 100 passwords or more for test and start attack.
1- There is no lockout mechanism Attacker can Do a lot of Try attacker Can Brute force The Victim login details as i shown in the screen shots and got full access.
2- Weak password can be set like any weak numbers like ''123456789'' as password Which is not the good password policy So due to Both Vulnerability Attacker can Brute force the login detail and Plus point is Weak password policy Attacker can Hack Any account easily due to both Vulnerabilities.
- There is No Lockout Mechanism ( rate limit ).
- Weak Password Policy
This will be fixed and released in the upcoming patch release.