Account lockout: Security or Vulnerability
ShareIntroduction:
First of all, “Account Lockout” is a security mechanism. It is also a subroutine. This mechanism uses on web application to Electronic gate-pass.
Account lockout is a good way to reduce risk. If a person makes an attempt with a bad password, after a certain number of bad attempts the account will get locked out. Many systems can unlock the account out after a certain amount of time.
Attack:
The account lockout attack is an attack on the client, not the server. It causes the victim’s account to be locked and unable to access it for a period of time causing disruption and if used at the right time can prove very effective. In an account lockout attack, the attacker attempts to lockout all user accounts, typically by failing login more times than the threshold defined by the authentication system. For example, if users are locked out of their accounts after three failed login attempts, an attacker can lock out their account for them simply by failing login three times. This attack can result in a large scale denial of service attack if all user accounts are locked out, especially if the amount of work required to reset the accounts is significant.
Who is the Target?
Sites that operate an account lockout feature depending on incorrect logins in a certain period of time are vulnerable. Note this only works when the system locks the username not the attempting IP address. As otherwise all you are doing is blocking your self out. Sites employ this lockout feature to prevent bruteforce attacks on passwords, an even more severe attack.
Methods of Attack:
- API Abuse
- Flooding
- Brute Force
Ways of Attack:
- First one, Hacker will submit wrong password to system according to targeted username until that account get locked.
- Second one, by editing the cookie, hacker will attempt one login, then find the cookie “logins_incorrect=1″ or similar, and change the value to 999, or any number above the limit. This data will then be sent back to the server and stored in the database so the user will be locked out everywhere.
- Third one, hacker could write a script to simultaneously lockout every username in the database, of course here he will need a username list but most forums and CMS’s have the memberlist ready to copy. This is most disruptive when performed at the company’s busiest times such as New-Year.
Procedure of a successful attack:
# First Phase:
- Analyze system documentation to find list of events that could potentially cause account lockout
- Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly
- Determine another user’s login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times or until the system provides an indication that the account is locked out.
#Second Phase:
- Obtain list of authorized users using another attack pattern, such as SQL Injection.
- Attempt to create accounts if possible; system should indicate if a user ID is already taken.
- Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.
#Third Phase:
- For each user ID to be locked out, perform the lockout procedure discovered in the first step.
Solutions:
- Do not provide any indication to users that their accounts are locked out. Provide a simple error message such as: “Login failed. Try again or contact your administrator” regardless of why a login attempt fails.
- Avoid providing any indication regarding the validity of user IDs upon failed login attempts. Provide a simple error message such as: “Login failed. Try again or contact your administrator” regardless of why a login attempt fails.
- Build authentication mechanism, which will block account after N tries for a given IP address, from which log in attempt was conducted.
- To minimize possibility of blocking owner`s account we may take under consideration other characteristics like User-Agent or X_FORWARDED_FOR (if it’s present).
- Moreover after N login attempts, but before blocking the account, you may include additional verification by comparing data entered by the user and data displayed to him/her on the picture (CAPTCHA).
Conclusion:
- Needed Hacking skill or knowledge: Low
- Risk of successful attack: High
- Result of attack: Denial of Service
CRLF or HTTPRS: Carriage Return and Line Feed/ HTTP Response Splitting.
Share##Introduction:
After a long time, I am writing about a new thing, new thing cause I’ve learned it last night. Visited couple of sites from last night, and wondering that how I was in dark about “Carriage Return and Line Feedâ€.
##Description:
CRLF injection attacks are not as well known as some other attacks, but when used against vulnerable applications, CRLF injections can be just as effective and devastating .It is fairly simple, yet extremely powerful web attack.  Hackers are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user defacement, positioning of client's web-cache, hijacking of web pages, defacement and a myriad of other related attacks.  A number of years ago a number of CRLF injection vulnerabilities were also discovered in Google’s Adwords web interface.
Link: Â www.hackingspirits.com/vuln-rnd/adwords-crlf-injection.pdf
CRLF Â is a very significant sequence of characters for programmers. These two special characters represent the End Of Line (EOL) marker for many Internet protocols, including, but not limited to MIME (e-mail), NNTP (newsgroups) and more importantly HTTP. Â When programmers write code for web applications they split headers based on where the CRLF is found. If a malicious user is able to inject his own CRLF sequence into an HTTP stream, he is able to maliciously control the way a web application functions.
The essence of HTTP Response splitting is the attacker's ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response, in the normal case. The first response may be partially controlled by the attacker, but this is less important. What is material is that the attacker completely controls the form of the second response from the HTTP status line to the last byte of the HTTP response body. Once this is possible, the attacker realizes the attack by sending two requests through the target. The first one invokes two responses from the web server, and the second request would typically be to some "innocent" resource on the web server. However, the second request would be matched, by the target, to the second HTTP response, which is fully controlled by the attacker. The attacker, therefore, tricks the target into believing that a particular resource on the web server (designated by the second request) is the server's HTTP response (server content), while it is in fact some data, which is forged by the attacker through the web server - this is the second response.
HTTP Response Splitting attacks take place where the server script embeds user data in HTTP response headers. This typically happens when the script embeds user data in the redirection URL of a redirection response (HTTP status code 3xx), or when the script embeds user data in a cookie value or name when the response sets a cookie.
In the first case, the redirection URL is part of the Location HTTP response header, and in the second cookie setting case, the cookie name/value is part of the Set-Cookie HTTP response header.
The essence of the attack is injecting CRs and LFs in such manner that a second HTTP message is formed where a single one was planned for by the application. CRLF injection is a method used for several other attacks which change the data of the single HTTP response send by the application, but in this case, the role of the CRLFs is slightly different - it is meant to terminate the first (planned) HTTP response message, and form another (totally crafted by the attacked, and totally unplanned by the application) HTTP response message (hence the name of the attack). This injection is possible if the application (that runs on top of the web server) embeds un-validated user data in a redirection, cookie setting, or any other manner that eventually causes user data to become part of the HTTP response headers.
With HTTP Response Splitting, it is possible to mount various kinds of attacks:
#Cross-User Defacement
An attacker can make a single request to a vulnerable server that will cause the sever to create two responses, the second of which may be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the sever. This can be accomplished by convincing the user to submit the malicious request themselves, or remotely in situations where the attacker and the user share a common TCP connection to the server, such as a shared proxy server.
In the best case, an attacker can leverage this ability to convince users that the application has been hacked, causing users to lose confidence in the security of the application.
In the worst case, an attacker may provide specially crafted content designed to mimic the behavior of the application but redirect private information, such as account numbers and passwords, back to the attacker.
#Cache Poisoning
The impact of a maliciously constructed response can be magnified if it is cached either by a web cache used by multiple users or even the browser cache of a single user. If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue receive the malicious content until the cache entry is purged. Similarly, if the response is cached in the browser of an individual user, then that user will continue to receive the malicious content until the cache entry is purged, although the user of the local browser instance will be affected.
#Cross-Site Scripting
Once attackers have control of the responses sent by an application, they have a choice of a variety of malicious content to provide users. Cross-site scripting is common form of attack where malicious JavaScript or other code included in a response is executed in the user's browser.
The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.
The most common and dangerous attack vector against users of a vulnerable application uses JavaScript to transmit session and authentication information back to the attacker who can then take complete control of the victim's account.
#Page Hijacking
In addition to using a vulnerable application to send malicious content to a user, the same root vulnerability can also be leveraged to redirect sensitive content generated by the server and intended for the user to the attacker instead. By submitting a request that results in two responses, the intended response from the server and the response generated by the attacker, an attacker can cause an intermediate node, such as a shared proxy server, to misdirect a response generated by the server for the user to the attacker.
Because the request made by the attacker generates two responses, the first is interpreted as a response to the attacker's request, while the second remains in limbo. When the user makes a legitimate request through the same TCP connection, the attacker's request is already waiting and is interpreted as a response to the victim's request. The attacker then sends a second request to the server, to which the proxy server responds with the server generated request intended for the victim, thereby compromising any sensitive information in the headers or body of the response intended for the victim.
##Proof-Of-Concept:
Header Injection:
Vulnerable document is “rdt.phpâ€
Injected Header Data:
</p> <p>%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3E%3Cfont color=red%3Ehey%3C/font%3E%3C/html%3E</p> <p>
If the user follows the link, the HTTP request will look like:
</p> <p>GET /rdt.php?page=%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3E%3Cfont color=red%3Ehey%3C/font%3E%3C/html%3E HTTP/1.1\r\n</p> <p>Host: abc.org\r\n</p> <p>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2\r\n</p> <p>Accept: text/xml,application/xml,application/xhtml xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n</p> <p>Accept-Language: en-us,en;q=0.5\r\n</p> <p>Accept-Encoding: gzip,deflate\r\n</p> <p>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n</p> <p>Keep-Alive: 300\r\n</p> <p>Connection: keep-alive\r\n</p> <p>\r\n</p> <p>
##Fix:
The CRLF vulnerability is extremely easy to patch. The following code example assumes the input is set to “$_POST['input']â€
</p>
<p>if (eregi('n', $_POST['input'])) //This checks for the new line character in the POST variable</p>
<p>{ //start if..</p>
<p>die("CRLF Attack Detected"); //exit program if CRLF is found in the variable</p>
<p>} //end if..</p>
<p>
##Conclusion:
“Carriage Return and Line Feed†will be famous Attack Method for next generation. Because it not well-known to people. Everybody keeps eyes on SQLi or on XSS. But in upcoming times, it will hard to find a SQLi/XSS vulnerable site or Web-app.
## References:
**Web Sites
**Books
**Blogs
SQL injection: attacks and defenses.
Share***Introduction:
This is awesome that attackers are using several methods to get into some restricted part of web applications. They are discovering new methods day by day.
But SQL injection is now widely spreading method to hack your web sites or web apps.
So here is the question, what is SQL injection?
## SQL injection is a code injection technique that helps attacker to get some vulnerable information from your database. Actually it happens on database layer. This vulnerability occurs on PHP and ASP scripts for mistake of its coder.
***Where and why this vulnerability happens:
## Your coder may forget or lazy to handle SQL query errors.
## Where malicious users can insert SQL syntax on form requests.
## Forget to filter SQL syntax.
## Can not determine type of SQL query string.
## This attack can be perform on anywhere of your application, even attacker don’t have to get a privileged account.
## Attack can be performing via cookie.
## Those dynamic pages which only pulls data from database directly.
## This vulnerability may be causes by your database server also.
***Types of SQL injection:
There are two types of SQL injection.
1.Injection into the variables that contain strings.
2.Injection into numeric variables.
Both are different than each other. I will describe about both and also how to avoid them.
*** 1. Injection into the variables that contain strings.
## Vulnerable code:
OK, just imagine that you wrote an application that have a page that fetches member’s credits according to his login name. The username will gone one page to another via URL, actually method of $_ GET [‘variable’];
$cred = $_GET['name'];
$result = mysql_query("SELECT credit FROM user WHERE username='$cred'");
This script has SQL injection vulnerability. An attacker can abuse it, just putting a SQL query beside the username in URL.
‘ UNION SELECT password FROM admin WHERE id=1
This will pull password of an admin user who has id number 1 as an example.
## Solution:
To avoid this type of attack is very simple. So many times it has been described by so many security experts. You have to use a function mysql_real_escape_string().What does it do? mysql_real_escape_string() function adds “\â€Â to following characters:
NULL, \ x00, \ n, \ r, \, ', " and \ X1A
So, look out that vulnerable code with mysql_real_escape_string() .
//
$cred = mysql_real_escape_string( $_GET['name']);
$result = mysql_query("SELECT credit FROM user WHERE username='$cred'");
This page is completely secure now.
## Attack again:
Now an attacker will attack on it like before.
‘ UNION SELECT password FROM admin WHERE id=1
But after using mysql_real_escape_string() funtion, this query looks like this.
\’ UNION SELECT password FROM admin WHEREÂ id=1
There is “\†character just added because of mysql_real_escape_string().
Somebody will advice you to use addslashes() function. But this function has some limitations.
##Please read these topics from PHP manual:
http://www.php.net/manual/en/function.addslashes.php
and
http://www.php.net/manual/en/mysqli.real-escape-string.php
and also.
http://www.php.net/manual/en/function.pg-escape-string.php
*** 2. Injection into numeric variables.
These types of SQL attacks are less know than first one. And not so well described by security experts. But it also comes with same disaster on your web applications.
## Vulnerable code:
Now time to describe this attack. Imagine again, you wrote a page that will display user’s credit according to his user id. The user id will gone one page to another via form posting, actually method of $_ POST [‘variable’];
$id = $_POST['id'];
$result = mysql_query("SELECT credit FROM user WHERE id=$id");
On this situation mysql_real_escape_string() will not protect you from SQL injection attack. Because now the $id variable is not quoted. This variable is containing numerical value. Now an attacker will use this type of SQL query.
2 UNION SELECT password FROM admin WHERE id=1
So, how could you protect web application from this attack? There are two things you can do.
1. You can change content to number, so that your variable will hold only numerical content.
2. You can check if the content is numerical then it may proceed to make a query.
## Solution:
To avoid this type of attack you can use these functions.
A. intval() function.
B. is_numeric() function.
Here I am describing about the benefit of intval() function.
// // $var='7ack3r'; //variable contain alphanumerical content $var2=intval($var); // filtered by intval() print $var2; // this will print only 7
Now you can change your code as like below.
$id = intval($_POST['id']);
$result = mysql_query("SELECT credit FROM user WHERE id=$id");
Yap, you have done your job. This will secure your web applications more than enough.
Now, I am going to describe the function name is_numeric().This function will check, is your variable contains a numerical content?
$id = $_POST['id'];
if (is_numeric($id))
{
$result = mysql_query("SELECT credit FROM user WHERE id=$id");
}
else
{
log_the_attack(); //this function will log all the information eg: ip, browser, time, date etc
echo "Ha ha ha, trying do something with me dude? You are logged honey";
}
function log_the_attack()
{
// bla bla bla
}
Here a question will arise that “What can I do now, what will use…. Intval() or is_numeric() ?â€
Answer will be “Its up to you, intval() is easy and saves the coding time but is_numeric() may kills some time. But this will help you to keep all the attack logsâ€.
Please read details from here:
1. http://www.php.net/manual/en/function.is-numeric.php
2. http://www.php.net/manual/en/function.intval.php
*** Conclusions:
Finally I am going finish this article. If you follow these steps, your application will be secure.
## Verify data types of all non-string user inputs.
## Escape all string inputs.
## Keep track of security violation attempts.
## Limit SQL user rights.
## Take database backups.
## Double check your codes.
## Always keep updated your database server.
###################
I AM CONFESSING THAT, I AM BAD IN ENGLISH.
IF I WROTE ANY WRONG INFORMATION IN MY ARTICLE, PLEASE INFORM ME .
###################
