Today I want to look at the methodology when attacking web login portals. I see many posts about different vulnerabilities in programs, but very little amount of people talks about this topic. Of course, there is some sense behind this, because without valid credentials, there is very little functionality to be exploited. For the same reason, these portals are often not well protected.

There are a few vulnerabilities/misconfigurations that will get you some good bug bounties or findings during an engagement, like:

  1. Default Credentials
  2. Username Enumeration
  3. Weak Lock Out mechanism

So, let’s deep dive into each one of them and see how this can earn you some money.

1. Default Credentials

Misconfigurations with default credentials can be seen everywhere & this is a vulnerability that is usually High or Critical, depending on the access that it gives you. The methodology behind this is very simple — first you need to find default credentials for the application that you are testing. Then find all the login portals, where you can use those credentials.

Because I already have a topic on this, I will not go into too much depth and will instead give you potential reads to show you that this really works:

There are many other reports that have been disclosed on the topic, however I think those are enough to get you started. Let’s move on to the next one

2. Username Enumeration

The idea here is to verify if it is possible to collect a set of valid usernames by interacting with the authentication mechanism of the application

The methodology is to try logging in or resetting your password with an invalid email first and then try a possibly valid email (find emails via OSINT or register an account) and see the response from the website.

This is how a vulnerable page will look:

  1. Use an incorrect email (e.g. a@a.a) and check the response

2. Use a valid email and check the response

As you can see from the above example, the password reset allows us to enumerate users. If you are doubting whether this is impactful, please see some reports:

Now, let’s move on to a bit of a more interesting attack.

3. Weak Lock Out mechanism

What is it ?

Account lockout mechanisms are used to mitigate password spraying or brute force attacks. Accounts are typically locked after 3 to 5 unsuccessful login attempts and can only be unlocked after a predetermined period of time, via a self-service unlock mechanism, or intervention by an administrator.

How to test for it?

I have a really simple methodology, that goes as follows:

  • Find valid usernames & passwords (through breach databases)
  • Try enumerating existing usernames (if possible)
  • Try a brute force attack
  • Try a credential stuffing & password spraying attack

So, let’s start looking into each one of these and see how you can do all of this as well.

Finding Valid Usernames & Passwords

  1. [FREE] Use the Breach Parse to find plaintext credentials — https://github.com/hmaverickadams/breach-parse
  2. [BEST] Use Leak Peek, to find the latest plaintext credentials (for a subdomain) — https://leakpeek.com/
  3. Same as Leak Peek, but a bit more expensive — https://www.dehashed.com/

All of the above resources work in the same way. Let’s say that you are attacking example.com and you have a login portal at example.com/login. You can try enumerating all of the emails of the domain @example.com that have been breached in the past.

NB: Please, do make sure that you are only using the data that you gather for ethical hacking purposes & that your bug bounty program or penetration testing engagement does allow this attack vector

Also, know that you can search by username, email, password and more.

Enumerating Usernames

This has already been explained in point 2 (Username Enumeration) — the idea is to see if the emails/usernames that you have gathered are valid. This might not always be possible however and we might have to just go with the attack anyways.

Starting a Brute Force Attack

I would only do this, if I am sure that the web application allows this.

Below is an example, that shows the web application will disable our login if we try guessing the password more than 3 times.

However, if I see that the password is not being disabled, I would usually attack each email/username with my own wordlist:

https://github.com/ViktorMares/rockyou_strong_passwords

Of course, if you are unsure of the password requirements, then you can just use the normal rockyou.txt wordlist: https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

Credential Stuffing & Password Spraying

Finally, we get to the most successful attacks, which are the Credential Stuffing & Password Spraying attacks.

What is Credential Stuffing? Remember, how we could use breach parse or leak peek to get valid plaintext credentials (username & password) of our targets? Well, credential stuffing is the process of using all those credentials against a login portal.

What is Password Spraying? Well, password spraying is a bit different. The idea here is to use all those collected emails or usernames & attack all of them with the same password. Let’s say that we have collected 50 emails of a company. We then find a login portal & attack each of these emails with a known-bad password (like P@ssw0rd or Summer2022! and others).

Below is a really good video on this, by The Cyber Mentor (from TCM Academy) who basically explains & shows the whole concept of this attack.

Credential Stuffing & Password Spraying: https://youtu.be/sH4JCwjybGs?t=11222

And here are some reports that may help you in understanding these attacks more:

Hopefully, I was able to show you something interesting and useful for your future engagements in bug bounty programs & penetration tests.

Shares:

Leave a Reply

Your email address will not be published. Required fields are marked *