<p></p>
<p>Hi,<br>
I found a Brute forcing attacking on your website.</p>
<p>A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works.</p>
<p>This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more information about fixing this problem.</p>
<p>I am tested 10 invalid credentials and no account lockout was detected.This means it's vuln to Brute forcing attack.<br>
Vuln page- Login page<br>
Steps To Reproduce</p>
<ol>
<li>first go to <a href="https://account.acronis.com" rel="nofollow">https://account.acronis.com</a> , login with wrong password with intercept on burp</li>
<li>My http request- POST /v2/auth/login HTTP/2 Host: account.acronis.com Cookie:</li>
</ol>
<p>POST /w/index.php?title=Special:UserLogin&returnto=Bugs HTTP/2<br>
Host: wiki.openstreetmap.org<br>
Cookie: wikiUserName=Mx%20attacker; wiki_session=rpfck0ajhpvs1kk3n8c8kn67c2jf2517; forceHTTPS=true<br>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0<br>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,<em>/</em>;q=0.8<br>
Accept-Language: en-US,en;q=0.5<br>
Accept-Encoding: gzip, deflate<br>
Content-Type: application/x-www-form-urlencoded<br>
Content-Length: 237<br>
Origin: <a href="https://wiki.openstreetmap.org" rel="nofollow">https://wiki.openstreetmap.org</a><br>
Referer: <a href="https://wiki.openstreetmap.org/w/index.php?title=Special:UserLogin&returnto=Bugs" rel="nofollow">https://wiki.openstreetmap.org/w/index.php?title=Special:UserLogin&returnto=Bugs</a><br>
Upgrade-Insecure-Requests: 1<br>
Sec-Fetch-Dest: document<br>
Sec-Fetch-Mode: navigate<br>
Sec-Fetch-Site: same-origin<br>
Sec-Fetch-User: ?1<br>
Te: trailers<br>
Connection: close</p>
<p>wpName=Mx+attacker&wpPassword=xxxxxx&g-recaptcha-response=&wploginattempt=Log+in&wpEditToken=%2B%5C&title=Special%3AUserLogin&authAction=login&force=&wpLoginToken=2d8d0d422d815be75fda4ef59b5380806102a58d%2B%5C&wpForceHttps=1&wpFromhttp=1</p>
<ol start="3">
<li>send to intruder, clear $, add $ to password</li>
</ol>
<p>Recommendations<br>
[add details for how to fix or at least mitigate the issue]</p>
<p><strong>Impact</strong></p>
<p>An attacker may attempt to discover a weak password by systematically trying every possible combination of letters, numbers, and symbols until it discovers the one correct combination that works.</p>
<p>Fix-</p>
<p>It's recommended to implement some type of account lockout after a defined number of incorrect password attempts.<br>
More Details- <a href="https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks" rel="nofollow">https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks</a><br>
Best,</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/issues/3281">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLIW6FWGNVU6EDW4WKDT2FGLHANCNFSM5BGNQX7A">unsubscribe</a>.<img src="https://github.com/notifications/beacon/AAK2OLORCLUTJZXNSBVQEXTT2FGLHA5CNFSM5BGNQX7KYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4OHYUTKQ.gif" height="1" width="1" alt="" /></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/issues/3281",
"url": "https://github.com/openstreetmap/openstreetmap-website/issues/3281",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>