Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32528

#PT12068_6 - Login page vulnerable to bruteforce attacks

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security, Security / Rights

      Description

      Server Security Misconfiguration > No Rate Limiting on Form > Login

      Proof of Concept

      1. Browse "https://pentest.beta.nuxeocloud.com/nuxeo/login.jsp" URL for login attempt
      1. Place a random username and password in username and password areas,
      1. Use a proxy tool like burpsuite to intercept HTTP traffic.
      1. Click "Log in" button on login page.
      1. Intercept and send the request to the Intruder module on burpsuite tool.
      1. Clear all reference point and place only a reference on "password" parameter.
      1. On Payloads tab, use wordlist
      1. Start attack and observe how the login form is vulnerable to the brute force attack.

      Suggested Fix

      implement multi-factor authentication

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              santony Sooraj Antony
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: