How I bypassed the “maximum three incorrect login” policy?
We, all have had the moment when we make these accounts at various websites and barely use them and when we try to login back to those websites they have this rule that you can only login a max of three to five times and if those logins are wrong then your account gets locked out. Sometimes it’s a bit frustrating cause you know if I could just for like six to seven times I will get the password right but instead of that you have to go through the whole process of “forgot my password”, open your email, check in for the one-time password and all.
I am still fine with it if it keeps my account secure from malicious entities, but what irritates me the most is when the ill-intended people actually bypass these rules with ease and the daily user face such hardships. This same thing happened when I was searching for a bug at the login page of www.example.com
So let’s hack
So, www.example.com have the amazing feature where you can’t carry out more than three incorrect logins in one go and if you do so the account gets locked, which is an amazing feature that stops the newbie hackers from carrying out a brute force attack and figuring out the password of the user.
To check if this system really provided the security it says it does, I turned on Burp Suite and routed my traffic through it using it as a proxy. So the first time I logged in with wrong credentials, it presented me with this.
It was pretty impressive on the user end side, but the ugly part of it was on the Burp Suite.
Finding the vulnerability
When, I checked the request it sent out to the server and I was presented with this.
The number of failed attempts was right there in the post request that was being sent to the server, now I was curious if I could change the number of attempts and still the request was considered as a valid request and voila!
Testing with the values
The value for the number of attempts was right in front of me to manipulate, and as I changed the value in the post request and forwarded it and it worked like a charm. So after that no matter how many attempts I wanted to make the server allowed me all I had to do was manipulate the post request and it couldn’t identify the number of times I had previously logged in.
Moral & Tips
The web developer made one mistake and that was, to include the number of login count in the post request message, even though its a hidden parameter, but tools like Burp Suite can easily help you to manipulate those parameters.
The solution to such a problem can be :-
i) Blockchain, can be used where you can easily maintain the log of each and every login and thus rendering such attacks meaningless
ii) Parameter regarding security check should never be carried out the client side it doesn’t matter if its a hidden parameter or not anything on the client side can be manipulated and the whole purpose of security can be easily defeated.
If you enjoyed it please do clap and happy hacking!
Twitter : twitter.com/aditya12anand
LinkedIn : linkedin.com/in/aditya12anand/
E-mail : [email protected]