How I was able To Bypass Etsy Bruteforce Countermeasure 1st Time
I want to share one of my finding on Etsy which I have reported to them on 12th September 2012.
That means that the attacker can successfully does the bruteforce attack(or password enumeration) even when there is captcha Implement and this attack can be also be done manually or by creating a script in ruby or python languages. For more details I have attached Proof of Concept Screenshots.
The vulnerability was mitigated by Etsy Security Team within few hours on 12th September 2012.
I want to share one of my finding on Etsy which I have reported to them on 12th September 2012.
I have found that the Etsy.com login page Url https://www.etsy.com/signin?from_page=http://www.etsy.com/index.php was vulnerable to bruteforce attacks even after captcha implementation as when attacker submits the wrong password in the password input field it prompts that password was incorrect and when the attacker submits the right password in the password input field while doing advance bruteforcing then there is no error message displayed, also there was no need to fill the captcha.
That means that the attacker can successfully does the bruteforce attack(or password enumeration) even when there is captcha Implement and this attack can be also be done manually or by creating a script in ruby or python languages. For more details I have attached Proof of Concept Screenshots.
The vulnerability was mitigated by Etsy Security Team within few hours on 12th September 2012.
No comments:
Post a Comment
You Have Successfully Posted the Message.