Difference between revisions of "Account lockout attack"

From OWASP
Jump to: navigation, search
(References)
(Updated description, links, controls, related vulnerabilities, and references)
(32 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
 +
<br>
 +
[[Category:OWASP ASDR Project]]
  
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
Line 5: Line 7:
 
==Description==
 
==Description==
  
In an account lockout attack, the attacker attempts to lockout all user accounts, typically by failing login more times than the threshold defined by the authentication system. For example, if users are locked out of their accounts after three failed login attempts, an attacker can lock out their account for them simply by failing login three times. This attack can result in a large scale denial of service attack if all user accounts are locked out, especially if the amount of work required to reset the accounts is signficant.
+
In an account lockout attack, an attacker attempts to lock out user accounts by purposely failing the authentication process as many times as needed to trigger the account lockout functionality. This in turn prevents even the valid user from obtaining access to their account. For example, if an account lockout policy states that users are locked out of their accounts after three failed login attempts, an attacker can lock out accounts by deliberately sending an invalid password three times. On a large scale, this attack can be used as one method in launching a [https://www.owasp.org/index.php/Denial_of_Service denial of service] attack on many accounts. The impact of such an attack is compounded when there is a significant amount of work required to unlock the accounts to allow users to attempt to authenticate again.
 
+
  
 
==Risk Factors==
 
==Risk Factors==
 
+
TBD
 
+
  
 
==Examples ==
 
==Examples ==
  
===eBay`s atack===
+
===eBay Account Lockout Attack===
:Account lockout attacks are used to exploit authentication systems that are susceptible to denial of service. A famous example of this type of attack is the eBay`s one. eBay always displays the user id of the highest bidder.  In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time.  An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction.
+
  
 +
At one time, eBay displayed the user-id of the highest bidder for a given auction. In the final minutes of the auction, an attacker who was wanting to outbid the current highest bidder could attempt to authenticate three times using the targeted account. After three deliberately incorrect authentication attempts, eBay password throttling would lock out the highest bidder's account for a certain amount of time.  An attacker could then make their own bid and the legitimate user would not have a chance to place a counter-bid because they would be locked out of their account.
  
 
==Related [[Threat Agents]]==
 
==Related [[Threat Agents]]==
 
+
TBD
* [[:Category:Authentication]]
+
 
+
  
 
==Related [[Attacks]]==
 
==Related [[Attacks]]==
 
+
* [[Brute force attack]]
* [[Brute_force_attack]]
+
* [[Denial of Service]]
 
+
  
 
==Related [[Vulnerabilities]]==
 
==Related [[Vulnerabilities]]==
 
+
* [https://www.owasp.org/index.php/Category:Abuse_of_Functionality Abuse of Functionality]
 
+
* http://www.gnucitizen.org/blog/username-enumeration-vulnerabilities/
  
 
==Related [[Controls]]==
 
==Related [[Controls]]==
 
+
* [[Authentication Cheat Sheet]]
Build authentication mechanism, which will block account after N tries for a given IP address, from which log in attempt was conducted.
+
* [[Testing for Captcha (OWASP-AT-008)]]
 
+
* [[Testing for User Enumeration and Guessable User Account (OWASP-AT-002)]]
To minimize possibility of blocking owner`s account we may take under consideration other characteristics like User-Agent or X_FORWARDED_FOR (if it's present).
+
* [[Authentication]]
 
+
Moreover after N login attempts, but before blocking the account,we may include additional verification by comparing data entered by
+
the user and data displayed to him/her on the picture (CAPTCHA).
+
 
+
Such approach should slow down, limit log in attempts only to the valid user or even prevent conducting unwanted attempts generally.
+
 
+
  
 
==References==
 
==References==
 
+
http://cwe.mitre.org/data/definitions/645.html
 
+
  
 
[[Category:Abuse of Functionality]]
 
[[Category:Abuse of Functionality]]
 
[[Category:Exploitation of Authentication]]
 
[[Category:Exploitation of Authentication]]
 +
[[Category: Attack]]

Revision as of 23:33, 16 January 2013

This is an Attack. To view all attacks, please see the Attack Category page.



Last revision (mm/dd/yy): 01/16/2013

Description

In an account lockout attack, an attacker attempts to lock out user accounts by purposely failing the authentication process as many times as needed to trigger the account lockout functionality. This in turn prevents even the valid user from obtaining access to their account. For example, if an account lockout policy states that users are locked out of their accounts after three failed login attempts, an attacker can lock out accounts by deliberately sending an invalid password three times. On a large scale, this attack can be used as one method in launching a denial of service attack on many accounts. The impact of such an attack is compounded when there is a significant amount of work required to unlock the accounts to allow users to attempt to authenticate again.

Risk Factors

TBD

Examples

eBay Account Lockout Attack

At one time, eBay displayed the user-id of the highest bidder for a given auction. In the final minutes of the auction, an attacker who was wanting to outbid the current highest bidder could attempt to authenticate three times using the targeted account. After three deliberately incorrect authentication attempts, eBay password throttling would lock out the highest bidder's account for a certain amount of time. An attacker could then make their own bid and the legitimate user would not have a chance to place a counter-bid because they would be locked out of their account.

Related Threat Agents

TBD

Related Attacks

Related Vulnerabilities

Related Controls

References

http://cwe.mitre.org/data/definitions/645.html