[NXP-32528] #PT12068_6 - Login page vulnerable to bruteforce attacks - Nuxeo Issue Tracker

Starting October 25th, 2024, all support issues must be submitted through Hyland Community. To submit a support case through Hyland Community, you'll need to create a Hyland ID. Please note that the Nuxeo Jira site will enter read-only mode at 5:00 PM on October 25th and will remain in this state indefinitely. During this transition, access to Jira Projects will be temporarily unavailable. We will provide a new site and link to view Jira issues by November 8th, 2024. Further details on accessing the new platform will be shared closer to that date.

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: Security, Security / Rights

Tags:
- Security
- pentest

Description

Server Security Misconfiguration > No Rate Limiting on Form > Login

Proof of Concept

Browse "https://pentest.beta.nuxeocloud.com/nuxeo/login.jsp" URL for login attempt

Place a random username and password in username and password areas,

Use a proxy tool like burpsuite to intercept HTTP traffic.

Click "Log in" button on login page.

Intercept and send the request to the Intruder module on burpsuite tool.

Clear all reference point and place only a reference on "password" parameter.

On Payloads tab, use wordlist

Start attack and observe how the login form is vulnerable to the brute force attack.

Suggested Fix

implement multi-factor authentication

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

PT12068_6.pdf
188 kB
2024-05-15 18:08

Activity

People

Assignee:

Unassigned

Reporter:

Sooraj Antony

Participants:

Sooraj Antony

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

2024-05-12 11:47

Updated:

2024-05-15 18:08