Weak Password Policy

• Testing for Weak Password Policy (WSTG-ATHN-07)

Bruteforcing Passwords

Bruteforce passwords of usernames found during the enumeration phase.

Bypassing IP Blocking

• WebSecurityAcademy (PortSwigger) – Authentication
• Rate Limit Bypass (HackTricks)

With HTTP Header

• Send the login request to the Intruder module in Burp Suite.
• Add the HTTP header X-Forwarded-For in the request.
• Select Pitchfork as the attack type.
• Use the payload Numbers, set range From 1 To 100, Step to 1, Max fraction digits to 0.

X-Forwarded-For: §dummy§

With valid login

The IP can be blocked if you fail to log in too many times. In some implementations, the counter for the number of failed attempts resets if the IP owner logs in successfully. Use a macro and a session handling rule to issue a successful login request before each bruteforce attempt.

• Click on the Settings menu.
• Under Macros, click Add.
  • Select the successful login request.
  • Give the macro a name (Login).
  • Click OK.
• Under Setting handling rules, click Add.
  • In the Details tab:
    • Under Rule Description, enter a description like Intruder.
    • Under Rules Actions, click Add and select Run a macro. Select the macro Login and click OK.
  • In the Scope tab:
    • Under Tools Scope, select Intruder and unselect the rest.
    • Under URL Scope, select Include all URLs.
  • Click OK.
• Close the Settings window.

By supplying multiple passwords in one request

{"username":"victim","password":["whatever1","whatever2","whatever3"]}

Generate the JSON from a password list:

for pass in $(cat wl.txt); do printf \"${pass}\",; done

Reporting

CVSS Score v3	6.5 Depends on other controls like captcha, tokens, etc.
CVSS Vector v3	https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

English

Title	Weak password policy
Description	User password policy is weak. The only requirement is a minimum of 8 characters. There is no requirement for uppercase/lowercase characters, numbers, or special characters. For example, these are valid passwords: • 12345678 • aaaaaaaa • bbbbbbbb • password Weak passwords are easier to guess or bruteforce.
Steps to reproduce	Create a user.
Remediation	It is recommended to add more criteria to the password policy (lowercase/uppercase, digits, special characters) to increase password strength. Another option would be to add/configure integration with Federated Identities (e.g. ADFS) so that the password policy is enforced by it. Difficulty level to fix this vulnerability is assessed at “Simple”.

French

Title	Faible complexité de la politique des mots de passe
Description	La complexité de la politique des mots de passe des utilisateurs de l’application est insuffisante. Le seul requis est un minimum de 8 caractères. Il n’y a AUCUN REQUIS pour des lettres majuscules/minuscules, chiffres ou caractères spéciaux. Par exemple, ces mots de passe sont valides : • 12345678 • aaaaaaaa • password Les mots de passe ayant une faible complexité sont plus faciles à deviner et plus vulnérables aux attaques de type brute force.
Steps to reproduce
Remediation	Il est recommandé d’ajouter des critères de complexité aux mots de passe : • Au minimum 8 caractères • Au minimum un chiffre • Au minimum une lettre minuscule • Au minimum une lettre majuscule • Au minimum un caractère spécial La difficulté de correction est évaluée à “Simple”.