Log-In Protection Mechanisms To protect log-in forms against brute force attacks, mechanisms like
account lockouts and
CAPT- CHA were introduced. The account lockout mechanism was able to successfully prevent brute
force attacks; however, it was abused to cause denial of service to a legitimate user who tried
accessing a service with an excessive number of failed or unsuccessful log-in attempts. Therefore,
as a solution, many websites implemented an IP lock, which would block a particular IP from
accessing the website for a particular span of time, thereby slowing the brute force attacks by a
large degree; a short workaround is to switch between multiple IPs to brute-force. This could be
easy for an attacker who runs a botnet and can utilize thousands of IP addresses to do this task.
The main purpose of the CAPTCHA mechanism was to block automated attacks such as
brute force and other spams. CAPTCHA serves to be a good solution for preventing brute force
attacks, but sometimes due to a weak implementation, it fails.
CAPTCHA Validation Flaw One of the common flaws in CAPTCHA is validation; even if CAPTCHA is in place, we are
still able to determine if we have guessed the correct password just by observing the error mes-
sages or responses. This happens due to poor handling of error messages or due to weak CAPT-
CHA implementation.
A security researcher named Ajay Singh Negi was able to find the same flaw in etsy.com, where
he was able to determine if the password guess was correct just by looking at the error messages
that were generated. The screenshots we’ll see next will give you a clear picture of this.
Web Hacking ◾
327 Submitting a wrong password As Ajay submitted a wrong password, the following error appeared:
“Password is incorrect.”
Take a look at the following picture:
