Inducing Account Lockout |
Attack Pattern ID: 2 (Standard Attack Pattern Completeness: Complete) | Typical Severity: Medium | Status: Draft |
Summary
An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
Attack Execution Flow
Investigate account lockout behavior of system:
Investigate the security features present in the system that may trigger an account lockout
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Analyze system documentation to find list of events that could potentially cause account lockout
env-Web env-ClientServer env-Local env-Embedded2 Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly
env-Web env-ClientServer env-Local env-Embedded3 Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out.
env-Web env-ClientServer env-Local env-EmbeddedIndicators
ID type Indicator Description Environments 1 Positive System provides error message stating that account being attacked is locked out.
env-Web env-ClientServer env-Local env-Embedded2 Positive After a certain number of login attempts with a given user ID, the amount of time it takes for system to respond to further login attempts changes noticably.
env-Web env-ClientServer env-Local env-Embedded3 Negative System has no automatic signup mechanism, and system provides no indication as to whether the attacker is entering incorrect credentials or the account is locked out during the login process.
env-Web env-ClientServer env-Local env-EmbeddedOutcomes
ID type Outcome Description 1 Success Attacker determines at least one way to lock out accounts.2 Failure System provides no indication that account lockouts are possibleSecurity Controls
ID type Security Control Description 1 Detective Repeated failed login attempts in application/system logs.2 Preventative Do not provide any indication to users that their accounts are locked out. Provide a simple error message such as: "Login failed. Try again or contact your administrator" regardless of why a login attempt fails.Obtain list of user accounts to lock out:
Generate a list of valid user accounts to lock out
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Obtain list of authorized users using another attack pattern, such as SQL Injection.
env-Web env-ClientServer env-Local env-Embedded2 Attempt to create accounts if possible; system should indicate if a user ID is already taken.
env-Web env-ClientServer env-Local env-Embedded3 Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.
env-Web env-ClientServer env-Local env-EmbeddedIndicators
ID type Indicator Description Environments 1 Positive System indicates which user IDs are valid and which are not to unauthenticated users.
env-Web env-ClientServer env-Local env-EmbeddedOutcomes
ID type Outcome Description 1 Success Attacker gathers list of user IDs2 Inconclusive Attacker is unable to gather list of valid user IDs; attacker may still be able to lock out accounts by blindly guessing user IDs and performing a lockout procedure with each one.Security Controls
ID type Security Control Description 1 Preventative Avoid providing any indication regarding the validity of user IDs upon failed login attempts. Provide a simple error message such as: "Login failed. Try again or contact your administrator" regardless of why a login attempt fails.
Lock Out Accounts:
Perform lockout procedure for all accounts that the attacker wants to lock out.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 For each user ID to be locked out, perform the lockout procedure discovered in the first step.
env-Web env-ClientServer env-Local env-EmbeddedIndicators
ID type Indicator Description Environments 1 Positive Success outcome in first step
env-Web env-ClientServer env-Local env-Embedded2 Negative Failure outcome in first step
env-Web env-ClientServer env-Local env-EmbeddedOutcomes
ID type Outcome Description 1 Success Amount of work required by an attacker to lock out a large number of accounts is at least an order of magnitude smaller than the amount of work required to unlock the accounts thereafter.2 Failure The large amount of work required by an attacker to lock out a large number of accounts makes this an unattractive attack.
The system has a lockout mechanism.
An attacker must be able to reproduce behavior that would result in an account being locked.
Description
A famous example of this type an attack is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction.
Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.
When implementing security features, consider how they can be misused and made to turn on themselves.
CWE-ID | Weakness Name | Weakness Relationship Type |
---|---|---|
400 | Uncontrolled Resource Consumption ('Resource Exhaustion') | Secondary |
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Category | 212 | Functionality Misuse | Mechanism of Attack (primary)1000 |
Submissions | ||||
---|---|---|---|---|
Submitter | Organization | Date | ||
Eugene Lebanidze | Cigital, Inc | 2007-02-26 |
Modifications | |||||
---|---|---|---|---|---|
Modifier | Organization | Date | Comments | ||
Sean Barnum | Cigital, Inc | 2007-03-01 | Review and revision of content | ||
Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name, Description and Solutions | ||
Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback | ||
Amit Sethi | Cigital, Inc. | 2007-10-29 | Added extended Attack Execution Flow |