SHAHEE MIRZA

Sooner or later you have to wake up.
Cricinfo.com iframe vulnerability. DoS: Sony Ericsson Phone memory Contact. CRLF or HTTPRS: Carriage Return and Line Feed/ HTTP Response Splitting.

Security

Account lockout: Security or Vulnerability

July 15, 2011Shahee MirzaSecurity, Vulnerability0
Share

Introduction:

First of all, “Account Lockout” is a security mechanism. It is also a subroutine. This mechanism uses on web application to Electronic gate-pass.

Account lockout is a good way to reduce risk. If a person makes an attempt with a bad password, after a certain number of bad attempts the account will get locked out. Many systems can unlock the account out after a certain amount of time.

Attack:

The account lockout attack is an attack on the client, not the server. It causes the victim’s account to be locked and unable to access it for a period of time causing disruption and if used at the right time can prove very effective. In an account lockout attack, the attacker attempts to lockout all user accounts, typically by failing login more times than the threshold defined by the authentication system. For example, if users are locked out of their accounts after three failed login attempts, an attacker can lock out their account for them simply by failing login three times. This attack can result in a large scale denial of service attack if all user accounts are locked out, especially if the amount of work required to reset the accounts is significant.

Who is the Target?

Sites that operate an account lockout feature depending on incorrect logins in a certain period of time are vulnerable. Note this only works when the system locks the username not the attempting IP address. As otherwise all you are doing is blocking your self out. Sites employ this lockout feature to prevent bruteforce attacks on passwords, an even more severe attack.

Methods of Attack:

  • API Abuse
  • Flooding
  • Brute Force

Ways of Attack:

  • First one, Hacker will submit wrong password to system according to targeted username until that account get locked.
  • Second one, by editing the cookie, hacker will attempt one login, then find the cookie “logins_incorrect=1″ or similar, and change the value to 999, or any number above the limit. This data will then be sent back to the server and stored in the database so the user will be locked out everywhere.
  • Third one, hacker could write a script to simultaneously lockout every username in the database, of course here he will need a username list but most forums and CMS’s have the memberlist ready to copy. This is most disruptive when performed at the company’s busiest times such as New-Year.

Procedure of a successful attack:

# First Phase:

  • Analyze system documentation to find list of events that could potentially cause account lockout
  • Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly
  • Determine another user’s login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times or until the system provides an indication that the account is locked out.

#Second Phase:

  • Obtain list of authorized users using another attack pattern, such as SQL Injection.
  • Attempt to create accounts if possible; system should indicate if a user ID is already taken.
  • Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.

#Third Phase:

  • For each user ID to be locked out, perform the lockout procedure discovered in the first step.

Solutions:

  • Do not provide any indication to users that their accounts are locked out. Provide a simple error message such as: “Login failed. Try again or contact your administrator” regardless of why a login attempt fails.
  • Avoid providing any indication regarding the validity of user IDs upon failed login attempts. Provide a simple error message such as: “Login failed. Try again or contact your administrator” regardless of why a login attempt fails.
  • Build authentication mechanism, which will block account after N tries for a given IP address, from which log in attempt was conducted.
  • To minimize possibility of blocking owner`s account we may take under consideration other characteristics like User-Agent or X_FORWARDED_FOR (if it’s present).
  • Moreover after N login attempts, but before blocking the account, you may include additional verification by comparing data entered by the user and data displayed to him/her on the picture (CAPTCHA).

Conclusion:

  • Needed Hacking skill or knowledge:         Low
  • Risk of successful attack:                              High
  • Result of attack:                                               Denial of Service

You can follow any responses to this entry through the RSS feed. You can leave a response, or trackback from your own site.

Tagged , , ,

Leave a reply

Your email address will not be published. Required fields are marked *

*

My Social Homes
Categories
Recent Posts
Comments
  • Maruf Alam: Nice Tutorial. Carry on dude View Post
  • Innocent Rohit (Infinity): Onek Nice :) Future e kaj-e lagbe :) onek kichu sikhte parlam :) verry goOd pOst :) n1ce,........ View Post
  • Shawon: amar mone hoi new line caracter e akta missing ase okhane ' \n ' hobe nice code bro :) View Post
  • Cx Rana: notun kisu bolar nai...ek kothay oshadaron post...carry on man. View Post
  • Tanvir(host rider): boss...........i m stay in primary level....so i think that it will be need 4 me......... View Post
Popular
Top ↑