Skip to content
This repository has been archived by the owner on Oct 21, 2022. It is now read-only.

No Bruteforce Protection on Account Login #3

Open
sveeke opened this issue Jun 18, 2018 · 4 comments
Open

No Bruteforce Protection on Account Login #3

sveeke opened this issue Jun 18, 2018 · 4 comments
Labels
bug-security risk-moderate Security issues with a moderate impact
Milestone
Pilot 2018

Comments

@sveeke
Copy link
Contributor

sveeke commented Jun 18, 2018

threatLevel=Low type=Missing Bruteforce Protection

There is no bruteforce protection against the bruteforce of accounts at the Login Portal.

Example of a login request:

POST /api-auth/token HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Referer: https://surf-dev2.edubadges.nl/auth/login
Content-Length: 58
Origin: https://surf-dev2.edubadges.nl
Connection: close

username=stefanpentest%2Bteacher%40gmail.com&password=test

HTTP/1.1 400 Bad Request
Server: nginx/1.12.2
Date: Thu, 07 Jun 2018 02:32:13 GMT
Content-Type: application/json
Connection: close
Vary: Authorization, Cookie
X-Frame-Options: ALLOW-FROM HTTP://CANVAS.EDUBADGES.NL/, HTTPS://CANVAS.EDUBADGES.NL
Access-Control-Allow-Origin: *
Allow: POST, OPTIONS
Content-Length: 68

{"non_field_errors":["Unable to log in with provided credentials."]}

impact:
Lack of brute force protection on the login mechanism may lead to account theft as the attacker is not blocked in bruteforcing possible passwords.

recommendation:
Implement a limit on login attempts with the use of Captcha (f.i. https://www.google.com/recaptcha is very effective) after three login attempts.
Enforce an account and IP lockout (or ban) if there are too many login attempts in a short period of time.
@sveeke sveeke added the risk-low Security issues with a low impact label Jun 18, 2018
@sveeke sveeke added this to the Pilot 2018 milestone Jun 18, 2018
@sveeke
Copy link
Contributor Author

sveeke commented Jun 18, 2018

We won't be using Google Captcha since google uses third party domains with tracking capability for it (unless they have local versions of it). A Privacy minded captcha should be used.

@sveeke sveeke added risk-moderate Security issues with a moderate impact bug-security and removed risk-low Security issues with a low impact labels Jun 18, 2018
@ottonomy
Copy link

We might just recommend an increasing backoff time instead of a captcha, as that would only require code to be changed on badgr-server -- it would be a bit of a complex interaction between badgr-server and badgr-ui otherwise. Tracked on our internal backlog for discussion.

@sveeke
Copy link
Contributor Author

sveeke commented Jan 17, 2019

And how is the discussion going @ottonomy ?

@ottonomy
Copy link

We have implemented bruteforce protection via an exponential backoff with a configurable maximum. We did not implement a captcha.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug-security risk-moderate Security issues with a moderate impact
Projects
None yet
Milestone
Pilot 2018
Development

No branches or pull requests
2 participants
@ottonomy @sveeke