[WEB SECURITY] Attacks on unprotected login forms

MustLive mustlive at websecurity.com.ua
Sat Apr 30 13:55:40 EDT 2011


Hello participants of Mailing List.

In my article Attacks on unprotected login forms
(http://websecurity.com.ua/5097/), which I published last week, I told
about different attack on login forms which have no protection against
automated login.

The lack of protection in login forms, captcha in particular, can lead to
different attacks. And not only to Brute Force attacks (WASC-11), which is
known vulnerability in authentication forms, but also to many other attacks
directed on other vulnerabilities of the site or web application. And
already for many years I meet possibilities for such attacks at different
sites and engines.

If it's possible to protect against Brute Force as with help of captcha, as
with other methods (restricting by IP or temporary blocking of account),
then in case of other vulnerabilities, when remote or automated attacks are
conducting, using of the captcha is very actual.

And because captcha is very rarely using at login forms, then this issue is
very widespread in Internet. At web sites which don't have vulnerabilities
in admin or users accounts it's possible to do without captcha (e.g. I don't
use captcha at my site in login form, because it's not actual for me), but
for sites with internal vulnerabilities it's very actual. Millions of web
sites, many engines and different devices with web interface (such as
routers, modems and others) are now vulnerable for such attacks.

The lack of protection against automated login (captcha) can be used:

* For conducting of Brute Force attacks.
* For conducting of Login Enumeration attacks - if there are appropriate
Abuse of Functionality vulnerabilities in login forms, like in MyBB.
* For conducting of XSS attacks - if there are appropriate XSS
vulnerabilities, like in MyBB.
* For conducting of Redirector attacks - if there are appropriate URL
Redirector Abuse vulnerabilities, like in MyBB.
* For conducting of CSRF attacks, including at different devices (modems in
particular). I'll tell soon about such attacks on admin panels of ADSL
modems.
* For conducting of phishing attacks, when user's credentials are stealing
and right away the login into his account is going on (e.g. for stealing of
money from account). I've told already about Insufficient Anti-automation
vulnerability in LiqPAY, which can be used for such attacks.
* For conducting of SQL Injection attacks, when there is regular SQLi or
blind SQLi vulnerability in user account, and exploit needs to login and
take data from DB. In such case captcha will make life harder at using of
these vulnerabilities.
* For conducting of RCE attacks, when authorization is needed for remote
command execution. In such case captcha will make life harder at using of
these vulnerabilities.
* For conducting of Arbitrary File Upload attacks - via appropriate
vulnerabilities in user account, like in WordPress. In such case captcha
will make life harder at using of these vulnerabilities.
* For conducting of Abuse of Functionality attacks - via different AoF
vulnerabilities in user account, e.g. those which allow to send spam. Like
in Drupal and in Print module for Drupal.

At this it's needed that captcha was in login form immediately, and not
appears after unsuccessful authentication attempt, as it's in MyBB. Which
leads to possibility of conducting of mentioned attacks (like XSS and
Redirector attacks in MyBB), because at conducting of these attacks the
authentication is going on before captcha's appearance.

So if there is any from mentioned vulnerabilities (except for Brute Force,
which can be fixed also by other methods) the captcha in login form can come
in handy - as main, or as additional protection. Especially if any
vulnerabilities can't be fixed, as in case of AoF when they are important
functionality of the site.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua





More information about the websecurity mailing list