Broken Authentication -> Bruteforce

Broken Authentication : Bruteforce

A brute force attack uses trial-and-error to guess login info, encryption keys, or find a hidden web page. Hackers work through all possible combinations hoping to guess correctly.

Exploitation

This login form does’nt have bruteforce protection which will allow us to bruteforce user’s credentials.

There are lot of tools to bruteforce login form but we will use burpsuite intruder here. We will enter an invalid credential test:test, intercept the request in burpsuite, and then forward the request to intruder.

For this purpose, we will choose cluster bomb attack type as we are going to bruteforce both username and password, and then load our wordlists in payload section .

As you can see, admin:admin gave different status code 302, which means we got valid credential.

We will attempt to login with the credential admin:admin.

Great!, We have logged in as Admin.

Mitigations

• Account Lockout Policy
• Use CAPTCHAS
• Multi-factor Authentication
• Progressive delays

References

• https://www.kaspersky.com/resource-center/definitions/brute-force-attack
• https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks
• https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks