A Way to Bypass Rate Limiting

Another Way to Bypass Rate Limiting

I want to share one of my finding on account.99designs.com which I have reported to them on 5th May 2014.

I have found that site.com following Url https://account.99designs.com/sso/1.0.0/login?site=contests&locale=en-us&return=https://99designs.com/sso/login&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA= was vulnerable to Bruteforce attacks even when the Rate-Limting is implement for all the site.com users account and the server is disabling the requests.

So first I tried to do the Status Code Value or Response Code Value, Length Code Analysis but it was same as 200 for all Right & Wrong Password attempts as we hit the 60 Wrong Password Attempts also the error message was generic for all Right & Wrong Password Attempts.

Then I tried to do the User-Agent based bruteforce attack by changing the user-agent to known and anonymous user-agent in header of the each request but it also failed and then after further more Deep Analysis I found that there was a parameter named browser was sent using post method in each request with Wrong or Right Password and this parameter was containing a value which was the currently used browsers name i.e. internet+explorer. So, that means the server was checking the User-Agent using header and also using the browser name parameter and its value internet+explorer.

So to find weakness in the Rate Limiting countermeasure 1st sent more then 60 Wrong Password requests using  the browser parameter with the value internet+explorer as the 60 Wrong Password requests sent the the Rate Limiting got enabled and it started blocking the wrong or right password request and was sending the response code and length code as 200 for all Right & Wrong Password attempts also the error message was generic for all Right & Wrong Password Attempts so again it failed. 

After that I started sending each request with the browser named parameter value which I changed to any known and also any unknown value as browser name value. So, then I observed that after more then 60 Wrong Password Attempts and also even after more then 10000 Wrong Passwords Attempts the Rate Limiting didn't got enabled nor the Status Code Value or Response Code Value, Length Code values changed to 200. Instead for Right Password it was 302 and for Wrong Pass it was 200.

So, in this way I was able to Bypass the site.com Rate Limting by changing the browser parameter value in each request and by analyzing the Status Code Value or Response Code Value, Length Code values differences.

Original Request:

POST /sso/1.0.0/login?site=contests&locale=en-us&return=https://99designs.com/sso/login&target=http://99designs.com/&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA= HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: __iswl_account99designscom=0; sp_id..cf43=f48faee182ec56ef.1399262073.1.1399262078.1399262073; sp_ses..cf43=*; _msuuid_75mlvfed70=937C0A8D-BDBA-40E7-9632-AA2BB97F051F; __ssid=69a7009e-a365-4481-87e3-60620271c47d; CookiedSession=P90fAidSF8hdgPCKZkgn2KdK7sAj0imf4TLPMLiyKU=.K-FAwEBC3Nlc3Npb25EYXRhAf-GAAECAQJJZAEMAAEFU3RvcmUB_4gAAAAh_4cEAQERbWFwW3N0cmluZ11zdHJpbmcB_4gAAQwBDAAAKv-GARZhWW1qc2tlbHo5SVM3UWozamtGeE9IAQEGbG9jYWxlBWVuLXVzAA==
Host: account.99designs.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

username=victimemailid@gmail.com&password=shssjssjs&browser=Internet+Explorer&browserversion=10.0&screenresolution=1422x889&operatingsystem=Windows&timezoneoffset=420&csrf_token=aYmjskelz9IS7Qj3jkFxOH

Modified Request:

POST /sso/1.0.0/login?site=contests&locale=en-us&return=https://99designs.com/sso/login&target=http://99designs.com/&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA= HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: __iswl_account99designscom=0; sp_id..cf43=f48faee182ec56ef.1399262073.1.1399262078.1399262073; sp_ses..cf43=*; _msuuid_75mlvfed70=937C0A8D-BDBA-40E7-9632-AA2BB97F051F; __ssid=69a7009e-a365-4481-87e3-60620271c47d; CookiedSession=P90fAidSF8hdgPCKZkgn2KdK7sAj0imf4TLPMLiyKU=.K-FAwEBC3Nlc3Npb25EYXRhAf-GAAECAQJJZAEMAAEFU3RvcmUB_4gAAAAh_4cEAQERbWFwW3N0cmluZ11zdHJpbmcB_4gAAQwBDAAAKv-GARZhWW1qc2tlbHo5SVM3UWozamtGeE9IAQEGbG9jYWxlBWVuLXVzAA==
Host: account.99designs.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

username=victimemailid@gmail.com&password=shssjssjs&browser=test+test&browserversion=10.0&screenresolution=1422x889&operatingsystem=Windows&timezoneoffset=420&csrf_token=aYmjskelz9IS7Qj3jkFxOH

In this way the attacker was able to Bypass the Rate Limiting of 99designs.


Impact:

The attacker can successfully bruteforce the passwords on any users account even when the rate limiting is enabled and this can lead to account compromise.

Recommendation:
The Length Code Value for Right & Wrong Passwords shall always be Same for Any Users Account.

Instead of user-agent based validation for enabling the rate limiting user id shall be checked for numbers of wrong password attempts.


The account shall only be unlocked using a email which contains a Un-Lock account link.

The vulnerability was mitigated by 99designs Security Team.

So in this way, one can Bypass Rate Limiting and can also compromise the victims account also this technique can be used to find same type of vulnerabilities on different websites.

Suggestions and Feedback's are welcome.

InVision Rate Limiting Bypass

How I was able To Bypass InVision Rate Limiting

I want to share one of my finding on InVision which I have reported to them on 16th March 2014.

I have found that InVision following Url https://projects.invisionapp.com/d/login was vulnerable to Bruteforce attacks even when the Rate-Limting is implement for all the InVision users account and even when the victims account is locked.

So first I tried to do the Status Code Value or Response Code Value Analysis but it was same as 200 for all Right & Wrong Password attempts also the error message was generic for all Right & Wrong Password Attempts.

Then I tried to do the Length Code Value Analysis and I found that for Right Password the Length Code Value always Same and Constant as 7501 from the Wrong Password Length Code Values.

But there were 2 drawbacks 1st that in real world scenario how an attacker will know the Length Code Value for the Right Password of the victims account because the Length Code Value may vary for each victims account and the 2nd drawback was that even if the attacker get the Right Password he can't get logged into the victims account as it was getting locked once the Rate Limting is enabled.

So to find that I created 5 dummy accounts on InVision and then I checked the each dummy accounts Right Passwords Length Code Values and I found that it was again same as 7501 for each of those dummy accounts different Right Passwords. So in this way I confirmed that the Right Password Length Code is always Same and Constant for all the Victims(Users) accounts. 

After some Analysis I found that the locked account of the victim is getting automatically unlocked after 30 minutes time. So once the attacker got the Right Password he can then access the victims locked account as it is automatically getting unlocked after 30 minutes time.

Rate Limiting BypassVulnerability POC Screenshot:

 

In this way the attacker was able to Bypass the Rate Limiting of InVision.


Impact:

The attacker can successfully bruteforce the passwords on any users acccount even when the rate limiting is enabled and this can lead to account compromise.

Recommendation:
The Length Code Value for Right & Wrong Passwords shall always be Same for Any Users Account.


The account shall only be unlocked using a email which contains a Un-Lock account link.

.

 The vulnerability was mitigated by InVision Security Team within 6 days.

So in this way, one can Bypass Rate Limting and can also compromise the victims account also this technique can be used to find same type of vulnerabilities on different websites.

Suggestions and Feedbacks are welcome.

2nd Etsy Bruteforce Vulnerability

How I was able To Bypass Etsy Bruteforce Countermeasure 2nd Time

I want to share my second finding on Etsy which I and Prashant have reported to Etsy Security Team on 24th March 2013. Previously I have shared my 1st Etsy Bruteforce Countermeasure Bypass you can find it here http://www.websecresearch.tech/2013/08/1st-etsy-bruteforce-vulnerabilty.html .

We have found that the Etsy.com login page Url https://www.etsy.com/signin?from_page=http%3A%2F%2Fwww.etsy.com%2Findex.php is vulnerable to bruteforce attacks as there is no lockout policy, captcha implementation, rate limiting or IP based blocking when the attacker access and browse this website from Mobile device model Galaxy ACE S5830 and User Agent (Mozilla/5.0 (Linux; U; Andriod 2.3.6; en-gb; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1). Also note that the Etsy site is same if you browse it from mobile or from any desktop etc.

After some analysis we have found that the root cause for this vulnerability was that the Mobile User Agent (Mozilla/5.0 (Linux; U; Andriod 2.3.6; en-gb; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1) was whitelisted by Etsy and there was no account lockout policy, captcha, rate limiting or IP based blocking implemented for this user-agent, as when attacker submits the wrong password in the password input field it prompts that password was incorrect and when the attacker submits the right password in the password input field while doing advance bruteforcing then the is attacker is redirect to the victims accounts homepage.

That means that the attacker can successfully does the bruteforce attack(or password enumeration) as there is no account lockout policy, captcha, rate limiting or IP based blocking when the attacker access and browse this website from Mobile device model Galaxy ACE S5830 and User Agent (Mozilla/5.0 (Linux; U; Andriod 2.3.6; en-gb; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1) or by changing the user-agent and this attack can be done manually or by creating a scripting in ruby or python languages. 

We have also found that this vulnerability can also be exploited using other mobile user-agents and also by using anonymous user-agents as Etsy have allowed any anonymous user-agents and there was no account lockout policy, captcha, rate limiting or IP based blocking implemented for the anonymous user-agents also. For more details I have attached Proof of Concept Screenshots.

The vulnerability was mitigated by Etsy Security Team within 24 hrs on 25th September 2012.

1st Etsy Bruteforce Vulnerability

How I was able To Bypass Etsy Bruteforce Countermeasure 1st Time

I want to share one of my finding on Etsy which I have reported to them on 12th September 2012.

I have found that the Etsy.com login page Url https://www.etsy.com/signin?from_page=http://www.etsy.com/index.php was vulnerable to bruteforce attacks even after captcha implementation as when attacker submits the wrong password in the password input field it prompts that password was incorrect and when the attacker submits the right password in the password input field while doing advance bruteforcing then there is no error message displayed, also there was no need to fill the captcha. 

That means that the attacker can successfully does the bruteforce attack(or password enumeration) even when there is captcha Implement and this attack can be also be done manually or by creating a script in ruby or python languages. For more details I have attached Proof of Concept Screenshots.

The vulnerability was mitigated by Etsy Security Team within few hours on 12th September 2012.