carlvonderheid
commented
4 years ago Thanks, we are currently working on this, along with some other session management enhancements in an upcoming release, including features like configurable session timeout, we are still evaluating hard lockout versus some form of step-up captcha or rate limiting. Generally recommend your VECTR instance to be restricted from the outside with security groups and firewall rules.
Hi,
We were running a pentest against our local vectr instance and the following issue was observed.
Observed that Vectr application login is not protected with rate limiter or account lockout policy to prevent password bruteforce attack. By knowing the username, attacker would be albe to bruteforce the password to find the valid credentials. Note: Observed that login request (/cas/login) contains the 'execution' parameter and that will to be refreshed for every login attempt. If it is designed to prevent bruteforce automation, appears that it is not effective, we can repeatedly use same execution value in bruteforce attack.
reproduction steps: Configure the browser to use HTTPS proxy like Burp. Go to login page and enter valid username with wrong password In Burp proxy, forward the request Intruder. Add a list of passwords you would like to bruteforce and launch the attack. For valid password you will receive 302 HTTP response and for invlid one will receive 401 HTTP response.
remediation advice: Enforce account lock out policy - For 3 to 5 wrong login attempts. account needs to be locked for a period of time long enough to deter brute force attacks. Prompt a CAPTCH challenge if bruteforce is detected.
Thanks. Assaf Lowenstein