Testing
Validate if the user account will lock after a number of attempts (like 3, 5, 10, etc.).
IMPORTANT: BRUTEFORCE IS NOT ALWAYS ALLOWED WITHIN CONTRACTS
Use Burp Intruder.
To evaluate the account lockout mechanism’s ability to mitigate brute force password guessing, attempt an invalid log in by using the incorrect password a number of times, before using the correct password to verify that the account was locked out. An example test may be as follows:
- Attempt to log in with an incorrect password 3 times.
- Successfully log in with the correct password, thereby showing that the lockout mechanism doesn’t trigger after 3 incorrect authentication attempts.
- Attempt to log in with an incorrect password 4 times.
- Successfully log in with the correct password, thereby showing that the lockout mechanism doesn’t trigger after 4 incorrect authentication attempts.
- Attempt to log in with an incorrect password 5 times.
- Attempt to log in with the correct password. The application returns “Your account is locked out.”, thereby confirming that the account is locked out after 5 incorrect authentication attempts.
- Attempt to log in with the correct password 5 minutes later. The application returns “Your account is locked out.”, thereby showing that the lockout mechanism does not automatically unlock after 5 minutes.
- Attempt to log in with the correct password 10 minutes later. The application returns “Your account is locked out.”, thereby showing that the lockout mechanism does not automatically unlock after 10 minutes.
- Successfully log in with the correct password 15 minutes later, thereby showing that the lockout mechanism automatically unlocks after a 10 to 15 minute period.
Reporting
CVSS Score v3 | 6.1 (Medium) |
CVSS Vector v3 | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N&version=3.1 |
English
Title | No account lockout / anti-bruteforce mechanism |
Description | Account lockout mechanisms are used to mitigate brute force password guessing attacks. Accounts are typically locked after 3 to 5 unsuccessful login attempts and can only be unlocked after a predetermined period of time, via a self-service unlock mechanism, or intervention by an administrator. Account lockout mechanisms require a balance between protecting accounts from unauthorized access and protecting users from being denied authorized access. Despite it being easy to conduct brute force attacks, the result of a successful attack is dangerous as the attacker will have full access on the user account and with it all the functionality and services they have access to. During the tests, 30 invalid passwords were submitted. The right password was then submitted, and the login succeeded, confirming that the account was NOT locked. No security control (e.g. WAF, captcha) prevented these 30 login attempts. |
Steps to reproduce | Limitation: Password bruteforce attacks are limited because the contract forbids against denial of service attacks. Tests were limited to 30 failed connection attempts, which seems reasonable not to impact environment/network availability. Test is based on WSTG-ATHN-03 from the OWASP Security Testing Guide. Using Burp Suite, intercept a valid connection attempt request. Send the request to the Intruder module. Set the password as the changing part. Include screenshots. Use the Simple list payload, and insert 30 wrong passwords, then the right password. Include screenshots. Set the number of threads to 1. Include screenshots. Click on Start attack. Include screenshots. The last attempt with the right password succeeded after 30 failed login attempts. Notice how the length of the response is different. |
Remediation | It is recommended to add an account locking mechanism. Accounts lock after x failed connection attempts, and unlock: – after a delay of y minutes; or – using Self-service unlock (sends unlock email to registered email address); or – after administrator manually unlocks the account after verifying the user’s identity Another mechanism against bruteforce attacks could be added: – delay between connection attempts, to significatively slow down bruteforce attempts – CAPTCHA – Web application firewall (WAF), properly configured Difficulty level to fix this vulnerability is assessed at “Moderate” |