[jira] [Updated] (GUACAMOLE-991) Pass and User Check before OTP Check make possible brute force...

[Mathieu CARBONNEAUX (Jira)]

     [ 
https://issues.apache.org/jira/browse/GUACAMOLE-991?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mathieu CARBONNEAUX updated GUACAMOLE-991:
------------------------------------------
    Description: 
Hi,

 

Guacamole with otp module work like a charm...

but the user and password are checked before redirect to the otp page...

this make possible user/pass brut force, because the attacker can know if the 
user + password is valid....

ok they need the token to achive the complete connection... but they know the 
password...

 

why not redirect systematicly to the otp form, and check user + pass after otp 
form post (do the token validation only if user/pass are ok) ? or to use 3 
fields form ?

in that way the attaker canot know if the password is ok or if the token is 
bad...

  was:
Hi,

 

Guacamole with otp module work like a charm...

but the user and password are checked before redirect to the otp page...

this make possible user/pass brut force, because the attacker can know if the 
user + password is valid....

ok they need the token to achive the complete connection... but they know the 
password...

 

why not redirect systematicly to the otp form, and check user + pass after otp 
form post (do the token validation only if user/pass are ok) ? or to use 3 
fields form ?

in that way the attaker canot know is the password is ok or if the token is 
bad...


> Pass and User Check before OTP Check make possible brute force...
> -----------------------------------------------------------------
>
>                 Key: GUACAMOLE-991
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-991
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-totp
>            Reporter: Mathieu CARBONNEAUX
>            Priority: Trivial
>
> Hi,
>  
> Guacamole with otp module work like a charm...
> but the user and password are checked before redirect to the otp page...
> this make possible user/pass brut force, because the attacker can know if the 
> user + password is valid....
> ok they need the token to achive the complete connection... but they know the 
> password...
>  
> why not redirect systematicly to the otp form, and check user + pass after 
> otp form post (do the token validation only if user/pass are ok) ? or to use 
> 3 fields form ?
> in that way the attaker canot know if the password is ok or if the token is 
> bad...



--
This message was sent by Atlassian Jira
(v8.3.4#803005)