Bruteforcing Passwords
Bruteforce passwords of usernames found during the enumeration phase.
Bypassing IP Blocking
With HTTP Header
- Send the login request to the Intruder module in Burp Suite.
- Add the HTTP header X-Forwarded-For in the request.
- Select Pitchfork as the attack type.
- Use the payload Numbers, set range From 1 To 100, Step to 1, Max fraction digits to 0.
X-Forwarded-For: §dummy§
With valid login
The IP can be blocked if you fail to log in too many times. In some implementations, the counter for the number of failed attempts resets if the IP owner logs in successfully. Use a macro and a session handling rule to issue a successful login request before each bruteforce attempt.
- Click on the Settings menu.
- Under Macros, click Add.
- Select the successful login request.
- Give the macro a name (Login).
- Click OK.
- Under Setting handling rules, click Add.
- In the Details tab:
- Under Rule Description, enter a description like Intruder.
- Under Rules Actions, click Add and select Run a macro. Select the macro Login and click OK.
- In the Scope tab:
- Under Tools Scope, select Intruder and unselect the rest.
- Under URL Scope, select Include all URLs.
- Click OK.
- In the Details tab:
- Close the Settings window.
By supplying multiple passwords in one request
{"username":"victim","password":["whatever1","whatever2","whatever3"]}
Generate the JSON from a password list:
for pass in $(cat wl.txt); do printf \"${pass}\",; done
Reporting
CVSS Score v3 | 6.5 Depends on other controls like captcha, tokens, etc. |
CVSS Vector v3 | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
English
Title | Weak password policy |
Description | User password policy is weak. The only requirement is a minimum of 8 characters. There is no requirement for uppercase/lowercase characters, numbers, or special characters. For example, these are valid passwords: • 12345678 • aaaaaaaa • bbbbbbbb • password Weak passwords are easier to guess or bruteforce. |
Steps to reproduce | Create a user. |
Remediation | It is recommended to add more criteria to the password policy (lowercase/uppercase, digits, special characters) to increase password strength. Another option would be to add/configure integration with Federated Identities (e.g. ADFS) so that the password policy is enforced by it. Difficulty level to fix this vulnerability is assessed at “Simple”. |
French
Title | Faible complexité de la politique des mots de passe |
Description | La complexité de la politique des mots de passe des utilisateurs de l’application est insuffisante. Le seul requis est un minimum de 8 caractères. Il n’y a AUCUN REQUIS pour des lettres majuscules/minuscules, chiffres ou caractères spéciaux. Par exemple, ces mots de passe sont valides : • 12345678 • aaaaaaaa • password Les mots de passe ayant une faible complexité sont plus faciles à deviner et plus vulnérables aux attaques de type brute force. |
Steps to reproduce | |
Remediation | Il est recommandé d’ajouter des critères de complexité aux mots de passe : • Au minimum 8 caractères • Au minimum un chiffre • Au minimum une lettre minuscule • Au minimum une lettre majuscule • Au minimum un caractère spécial La difficulté de correction est évaluée à “Simple”. |