This lab is about broken brute-force protection.
Let’s start.
We first login in with invalid credentials to test how many attempts before the account get’s block from logging in again. After 3 times of failed attempts, the page response with a message: “You have made too many incorrect login attempts. Please try again in 1 minute(s)”.
Now after waiting for a minute we can log in again. The broken part of this brute force protection is that, if you log in with the correct username and password, the counter for blocking the logging restarts. So for example, I log in using admin:admin 2 times, the 3rd time I log in with wiener:peter. Now I can try to log in with admin:admin for another 2 times without getting blocked.
With this flaw, you should get a rough idea of how we can attack this log-in page.
Let’s select the pitchfork mode. Next, select the 2 parameters that we want to attack which is the username and password.
For payload set 1, we have to create a list of usernames alternating between your valid username: “wiener” and the victim’s username: “carlos”.
Make sure your username is first followed by carlos, as we want to align the username and the password.
For payload set 2, add your password in the first row and subsequently after every other password to align with the username list. This is so that the counter will be reset every time the correct username and password are used to log in, and we can use the other passwords to continue our brute force attacks against carlos’s account. Now that looks good, so let’s start our attack!
Sort the status base on the 302 response and you will find that one of them belongs to carlos.
Grab that password and let’s try to log in to carlos’s account.
Click on My account and you will have solved this lab!
