Difference between revisions of "Account lockout attack"

From OWASP
Jump to: navigation, search
m
 
(7 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[http://s1.shard.jp/galeach/new10.html asia carrera hardcore
 
] [http://s1.shard.jp/losaul/alloys-australian.html australia ambulance service
 
] [http://s1.shard.jp/frhorton/gmhd9lgd6.html africa costume
 
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/olharder/xp-logs-off-automatically.html 2006 auto ottawa show
 
] [http://s1.shard.jp/frhorton/mgsbz3g84.html african baltimore braiding hair md salon site web
 
] [http://s1.shard.jp/losaul/australian-residency.html the mental health act of south australia
 
] [http://s1.shard.jp/bireba/antivirus-freeware.html winantivirus.com
 
] [http://s1.shard.jp/losaul/how-to-train.html australias plants and animals
 
] [http://s1.shard.jp/galeach/new53.html asian hot pic
 
] [http://s1.shard.jp/bireba/eztrust-antivirus.html etrust antivirus 7.1 retail
 
] [http://s1.shard.jp/olharder/dealer-de-auto.html omega speedmaster automatic racing
 
] [http://s1.shard.jp/galeach/new163.html southeast asia weather
 
] [http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/losaul/ash-australia.html sydney australia restaurants
 
] [http://s1.shard.jp/losaul/job-search-cairns.html australia tide weather wind
 
] [http://s1.shard.jp/frhorton/1kjwm4ocq.html ancient african kingdom
 
] [http://s1.shard.jp/bireba/ winantiviruspro review
 
] [http://s1.shard.jp/bireba/top-ten-antivirus.html uninstall norton antivirus corporate
 
] [http://s1.shard.jp/bireba/antivirus-avg7.html antivirus avg7] [http://s1.shard.jp/frhorton/bc7zse5ug.html johanesberg south africa
 
] [http://s1.shard.jp/frhorton/ru5u87lsh.html african american design silhouette
 
] [http://s1.shard.jp/frhorton/3l4malzai.html african voudou reading tarot card
 
] [http://s1.shard.jp/galeach/new47.html largest desert in asia
 
] [http://s1.shard.jp/galeach/new156.html download asia carrera
 
] [http://s1.shard.jp/olharder/auto-bap.html lisa lopez autopsy pictures
 
] [http://s1.shard.jp/losaul/australia-uranium.html pictures of the opera house in australia
 
] [http://s1.shard.jp/olharder/automatic-direction.html auto b m part
 
] [http://s1.shard.jp/galeach/new117.html asian frenzy
 
] [http://s1.shard.jp/bireba/guard-antivirus.html top antivirus software reviews
 
] [http://s1.shard.jp/galeach/new38.html asian girl love
 
] [http://s1.shard.jp/frhorton/w2yqtuc7f.html daimler chrysler south africa
 
] [http://s1.shard.jp/olharder/luggage-rack-automobile.html american any automobile danger designed in speed unsafe
 
] [http://s1.shard.jp/olharder/auto-automobile.html left eye autopsy photo
 
] [http://s1.shard.jp/losaul/australia-brisbane.html australian natural disasters
 
] [http://s1.shard.jp/galeach/new15.html tight little asians
 
] [http://s1.shard.jp/bireba/quickheal-antivirus.html panda antivirus scan online
 
] [http://s1.shard.jp/losaul/miniature-australian.html australian open tv schedule in us
 
] [http://s1.shard.jp/bireba/escan-antivirus.html antivirus expiration
 
] [http://s1.shard.jp/galeach/new91.html yesasia coupon 2005
 
] [http://s1.shard.jp/frhorton/556tpvdn6.html african american woman and heart disease
 
] [http://s1.shard.jp/losaul/school-camps.html zodiac inflatables australia
 
] [http://s1.shard.jp/bireba/maafee-antivirus.html kaspersky antivirus review
 
] [http://s1.shard.jp/losaul/jamsteraustraliaautomarketsolcomau.html the sebel pier one sydney australia
 
] [http://s1.shard.jp/olharder/what-is-autonomously.html automne couleur
 
] [http://s1.shard.jp/losaul/beds-online-australia.html all saints australian
 
] [http://s1.shard.jp/frhorton/map.html african american history lessons
 
] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/bireba/panda-free-antivirus.html stinger antivirus free
 
] [http://s1.shard.jp/frhorton/1jv14ya7f.html african fashion south
 
 
[http://s1.shard.jp/losaul/picture-of-food.html current temperature in melbourne australia
 
] [http://s1.shard.jp/olharder/automotive-executive.html horne automotive
 
] [http://s1.shard.jp/galeach/new194.html asian movie rentals
 
] [http://s1.shard.jp/frhorton/rykfyeh82.html africa waterfall
 
] [http://s1.shard.jp/frhorton/rkgv2463v.html tarkastad south africa
 
] [http://s1.shard.jp/olharder/value-of-groucho.html autocad building drawings
 
] [http://s1.shard.jp/losaul/taubman-paints.html adult australia resort vacation
 
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/losaul/townsville-australia.html lion+king+australia
 
] [http://s1.shard.jp/galeach/new81.html asian male hairstyles
 
] [http://s1.shard.jp/galeach/new173.html cute asian schoolgirls
 
] [http://s1.shard.jp/bireba/antivirus-software.html norton antivirus serial crack
 
] [http://s1.shard.jp/galeach/new8.html hot asian horny girl
 
] [http://s1.shard.jp/losaul/australia-airfare.html australian blanket shepherd
 
] [http://s1.shard.jp/galeach/new26.html asian martial arts center
 
] [http://s1.shard.jp/frhorton/9vces3l25.html asian african legal consultative organization
 
] [http://s1.shard.jp/frhorton/yoc3js17e.html toto africa lyrics meaning
 
] [http://s1.shard.jp/frhorton/rlw3nqlyf.html safari africa luxury
 
] [http://s1.shard.jp/losaul/australia-behringer.html australian independent film
 
] [http://s1.shard.jp/frhorton/bnd824p72.html african american bio.com literature.nobel site
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html norton antivirus free
 
] [http://s1.shard.jp/bireba/imac-intel-antivirus.html panda antivirus serial
 
] [http://s1.shard.jp/losaul/australia-bus.html australia's museum of flight
 
] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/galeach/new7.html asian earth quake
 
] [http://s1.shard.jp/losaul/china-export-to.html china export to australia] [http://s1.shard.jp/losaul/australia-credit.html homes+australia
 
] [http://s1.shard.jp/frhorton/c1k98s3rt.html seychelles map africa
 
] [http://s1.shard.jp/galeach/new46.html asian big toy
 
] [http://s1.shard.jp/olharder/autoroll-654.html domain] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/olharder/collective-unconscious.html parts for datsun 280z automobile
 
] [http://s1.shard.jp/olharder/autograph-boxing.html auto parts mazda wreckers mx5
 
] [http://s1.shard.jp/losaul/seven-nightclub.html australian holiday houses
 
] [http://s1.shard.jp/olharder/auto-emissions-test.html autohits autosurf autosurf beautypeople.com exchange site
 
] [http://s1.shard.jp/losaul/port-hedlund-australia.html pheromone trap heliothis australia
 
] [http://s1.shard.jp/olharder/autoroll-654.html sitemap] [http://s1.shard.jp/galeach/new32.html asian garden plants
 
] [http://s1.shard.jp/frhorton/h4xwn2n8q.html good maps of africa
 
] [http://s1.shard.jp/galeach/new157.html asia photo
 
] [http://s1.shard.jp/bireba/antivirus-software.html antivirus software program] [http://s1.shard.jp/losaul/map.html rat zapper australia
 
] [http://s1.shard.jp/losaul/travel-shows-in.html australian dick moby
 
] [http://s1.shard.jp/bireba/review-zone-alarm.html trend antivirus scan
 
] [http://s1.shard.jp/frhorton/zgxfpsa75.html black african american hair styles
 
] [http://s1.shard.jp/galeach/new31.html asian slaw ramen
 
] [http://s1.shard.jp/bireba/winantivirus-pro.html update norton antivirus
 
] [http://s1.shard.jp/bireba/antivirus-free-download.html small antivirus program
 
 
http://www.textletocnac4.com
 
 
{{Template:Attack}}
 
{{Template:Attack}}
 
<br>
 
<br>
Line 97: Line 7:
 
==Description==
 
==Description==
  
In an account lockout attack, the attacker attempts to lock out all user accounts, typically by failing login more times than the threshold defined by the authentication system. For example, if users are locked out of their accounts after three failed login attempts, an attacker can lock out their account for them simply by failing login three times. This attack can result in a large scale denial of service attack if all user accounts are locked out, especially if the amount of work required to reset the accounts is signficant.
+
In an account lockout attack, an attacker attempts to lock out user accounts by purposely failing the authentication process as many times as needed to trigger the account lockout functionality. This in turn prevents even the valid user from obtaining access to their account. For example, if an account lockout policy states that users are locked out of their accounts after three failed login attempts, an attacker can lock out accounts by deliberately sending an invalid password three times. On a large scale, this attack can be used as one method in launching a [https://www.owasp.org/index.php/Denial_of_Service denial of service] attack on many accounts. The impact of such an attack is compounded when there is a significant amount of work required to unlock the accounts to allow users to attempt to authenticate again.
  
 
==Risk Factors==
 
==Risk Factors==
TBD
+
 
  
 
==Examples ==
 
==Examples ==
  
===eBay attack===
+
===eBay Account Lockout Attack===
:Account lockout attacks are used to exploit authentication systems that are susceptible to denial of service. A famous example of this type of attack is eBay's. eBay used to display the user id of the highest bidder (in the meantime they changed their way of working). In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time.  An attacker could then make their own bid and their victim would not have a chance to place a counter bid because they would be locked out. Thus an attacker could win the auction.
+
 
 +
At one time, eBay displayed the user-id of the highest bidder for a given auction. In the final minutes of the auction, an attacker who was wanting to outbid the current highest bidder could attempt to authenticate three times using the targeted account. After three deliberately incorrect authentication attempts, eBay password throttling would lock out the highest bidder's account for a certain amount of time.  An attacker could then make their own bid and the legitimate user would not have a chance to place a counter-bid because they would be locked out of their account.  
  
 
==Related [[Threat Agents]]==
 
==Related [[Threat Agents]]==
* [[:Category:Authentication]]
+
 
  
 
==Related [[Attacks]]==
 
==Related [[Attacks]]==
 
* [[Brute force attack]]
 
* [[Brute force attack]]
 +
* [[Denial of Service]]
  
 
==Related [[Vulnerabilities]]==
 
==Related [[Vulnerabilities]]==
TBD
+
* [https://www.owasp.org/index.php/Category:Abuse_of_Functionality Abuse of Functionality]
 +
* http://www.gnucitizen.org/blog/username-enumeration-vulnerabilities/
  
 
==Related [[Controls]]==
 
==Related [[Controls]]==
 +
* [[Authentication Cheat Sheet]]
 +
* [[Testing for Captcha (OWASP-AT-008)]]
 +
* [[Testing for User Enumeration and Guessable User Account (OWASP-AT-002)]]
 
* [[Authentication]]
 
* [[Authentication]]
  
 
==References==
 
==References==
TBD
+
http://cwe.mitre.org/data/definitions/645.html
  
 
[[Category:Abuse of Functionality]]
 
[[Category:Abuse of Functionality]]
 
[[Category:Exploitation of Authentication]]
 
[[Category:Exploitation of Authentication]]
 
[[Category: Attack]]
 
[[Category: Attack]]

Latest revision as of 22:21, 12 August 2013

This is an Attack. To view all attacks, please see the Attack Category page.



Last revision (mm/dd/yy): 08/12/2013

Description

In an account lockout attack, an attacker attempts to lock out user accounts by purposely failing the authentication process as many times as needed to trigger the account lockout functionality. This in turn prevents even the valid user from obtaining access to their account. For example, if an account lockout policy states that users are locked out of their accounts after three failed login attempts, an attacker can lock out accounts by deliberately sending an invalid password three times. On a large scale, this attack can be used as one method in launching a denial of service attack on many accounts. The impact of such an attack is compounded when there is a significant amount of work required to unlock the accounts to allow users to attempt to authenticate again.

Risk Factors

Examples

eBay Account Lockout Attack

At one time, eBay displayed the user-id of the highest bidder for a given auction. In the final minutes of the auction, an attacker who was wanting to outbid the current highest bidder could attempt to authenticate three times using the targeted account. After three deliberately incorrect authentication attempts, eBay password throttling would lock out the highest bidder's account for a certain amount of time. An attacker could then make their own bid and the legitimate user would not have a chance to place a counter-bid because they would be locked out of their account.

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References

http://cwe.mitre.org/data/definitions/645.html