[openstreetmap/openstreetmap-website] Password login page brute force attack (#3281)
mxattacker
notifications at github.com
Thu Jul 29 13:01:39 UTC 2021
Hi,
I found a Brute forcing attacking on your website.
A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works.
This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more information about fixing this problem.
I am tested 10 invalid credentials and no account lockout was detected.This means it's vuln to Brute forcing attack.
Vuln page- Login page
Steps To Reproduce
1. first go to https://account.acronis.com , login with wrong password with intercept on burp
2. My http request- POST /v2/auth/login HTTP/2 Host: account.acronis.com Cookie:
POST /w/index.php?title=Special:UserLogin&returnto=Bugs HTTP/2
Host: wiki.openstreetmap.org
Cookie: wikiUserName=Mx%20attacker; wiki_session=rpfck0ajhpvs1kk3n8c8kn67c2jf2517; forceHTTPS=true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 237
Origin: https://wiki.openstreetmap.org
Referer: https://wiki.openstreetmap.org/w/index.php?title=Special:UserLogin&returnto=Bugs
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
wpName=Mx+attacker&wpPassword=xxxxxx&g-recaptcha-response=&wploginattempt=Log+in&wpEditToken=%2B%5C&title=Special%3AUserLogin&authAction=login&force=&wpLoginToken=2d8d0d422d815be75fda4ef59b5380806102a58d%2B%5C&wpForceHttps=1&wpFromhttp=1
3. send to intruder, clear $, add $ to password
Recommendations
[add details for how to fix or at least mitigate the issue]
**Impact**
An attacker may attempt to discover a weak password by systematically trying every possible combination of letters, numbers, and symbols until it discovers the one correct combination that works.
Fix-
It's recommended to implement some type of account lockout after a defined number of incorrect password attempts.
More Details- https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
Best,
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/3281
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20210729/96e4c47e/attachment.htm>
More information about the rails-dev
mailing list