[
https://issues.apache.org/jira/browse/FINERACT-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Peter Chen updated FINERACT-2125:
---------------------------------
Description:
h3. Description
The application does not provide any kind of rate limiting mechanism to protect
against the requests made in a short frame of time. This type of issue might
lead to Account takeover by identifying correct usernames and passwords by
brute forcing the login page.
h3. Reproduction Steps
1- Visit the login page at [https://demo.mifos.io |https://demo.mifos.io/]or
[https://openmf.github.io/web-app/]
2- Enter any registered username and an incorrect password, Click on Login and
make sure to intercept the request via BurpSuite Tool.
3- Send the request to Intruder and set the payload position to password field.
4- Paste 400 incorrect passwords and 401st position as the correct password.
5- Start the attack and see that it successfully did 400 requests. On the 401st
request it logged-in successfully with correct password.
Note: Please note that the similar issue can be replicated where the vulnerable
field is username
h2. Impact Details
This type of issue might lead to Account takeover by identifying correct
usernames and passwords by brute forcing the login page.
h2. Remediation Advice
Implement CAPTCHA controls to validate that requests come from people, rather
than automated tools. Consider implementing appropriate rate-limiting, such as
IP addresses, time, or email-based limitations, to ensure that individual
sources cannot request forms and submissions more frequently than the servers
can reasonably handle.
was:
h3. Description
The application does not provide any kind of rate limiting mechanism to protect
against the requests made in a short frame of time. This type of issue might
lead to Account takeover by identifying correct usernames and passwords by
brute forcing the login page.
h3. Reproduction Steps
1- Visit the login page at [https://demo.mifos.io |https://demo.mifos.io/]or
[https://openmf.github.io/web-app/]
2- Enter any registered username and an incorrect password, Click on Login and
make sure to intercept the request via BurpSuite Tool.
3- Send the request to Intruder and set the payload position to password field.
4- Paste 400 incorrect passwords and 401st position as the correct password.
5- Start the attack and see that it successfully did 400 requests. On the 401st
request it logged-in successfully with correct password.
Note: Please note that the similar issue can be replicated where the vulnerable
field is username
h2. Remediation Advice
Implement CAPTCHA controls to validate that requests come from people, rather
than automated tools. Consider implementing appropriate rate-limiting, such as
IP addresses, time, or email-based limitations, to ensure that individual
sources cannot request forms and submissions more frequently than the servers
can reasonably handle.
> No Rate Limiting on Login Panel
> -------------------------------
>
> Key: FINERACT-2125
> URL: https://issues.apache.org/jira/browse/FINERACT-2125
> Project: Apache Fineract
> Issue Type: Bug
> Components: Client, Security
> Reporter: Peter Chen
> Priority: Minor
> Labels: technical
>
> h3. Description
> The application does not provide any kind of rate limiting mechanism to
> protect against the requests made in a short frame of time. This type of
> issue might lead to Account takeover by identifying correct usernames and
> passwords by brute forcing the login page.
> h3. Reproduction Steps
> 1- Visit the login page at [https://demo.mifos.io |https://demo.mifos.io/]or
> [https://openmf.github.io/web-app/]
> 2- Enter any registered username and an incorrect password, Click on Login
> and make sure to intercept the request via BurpSuite Tool.
> 3- Send the request to Intruder and set the payload position to password
> field.
> 4- Paste 400 incorrect passwords and 401st position as the correct password.
> 5- Start the attack and see that it successfully did 400 requests. On the
> 401st request it logged-in successfully with correct password.
> Note: Please note that the similar issue can be replicated where the
> vulnerable field is username
>
> h2. Impact Details
> This type of issue might lead to Account takeover by identifying correct
> usernames and passwords by brute forcing the login page.
> h2. Remediation Advice
> Implement CAPTCHA controls to validate that requests come from people, rather
> than automated tools. Consider implementing appropriate rate-limiting, such
> as IP addresses, time, or email-based limitations, to ensure that individual
> sources cannot request forms and submissions more frequently than the servers
> can reasonably handle.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
