From: Eliah Kagan (degeneracypressure@gmail.com)
Date: Sat Jun 24 2006 - 16:50:08 EDT
On 6/23/06, ceyhun wrote:
> but the problem is when a user enters wrong paaw0rd more than five times
> he/she can only login for aboout 2 hours later
It probably violates your agreement with the site owner as a
pen-tester to do this (and for good reason), but here's what you could
do if your only goal were to get into the site (and what you may wish
to warn your client about the possibility of):
Write a script that keeps all the users locked out at all times by
"attempting" to log in with an incorrect password. As your IP is
banned, use another IP, progressively (you may or may not have the
resources to do this). You have just DOSed their site, and they must
modify the configuration to allow legitimate users to use the site
again. They will probably simply remove the lockout (they'll do lots
of other things too, but I mean in terms of changing their
configuration)--then brute force the logins.
This illustrates the problem with any system that allows any person in
the world to deny access to any user, knowing the user's logon name. A
better way to prevent brute force attacks is to have some password
complexity requirements and progressively **slow down** response time
for a user / from an IP as there are more failed login attempts for
that user or from that IP. This prevents brute forcing, and makes it
so that the worst an anonymous attacker can do to a user is to add an
annoying several seconds to the time it takes to log in.
By the way, for this application, no matter how you play it, you will
probably be better off using a dictionary attack than a brute force
attack, at least at first.
-Eliah
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:10 EDT