CAPEC-2
Inducing Account Lockout
Alto
Medio
Draft
2014-06-23
00h00 +00:00
00h00 +00:00
2021-06-24
00h00 +00:00
00h00 +00:00
Alerta para un CAPEC
Manténgase informado sobre cualquier cambio en un CAPEC específico.
Descripciones CAPEC
An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
Informaciones CAPEC
Flujo de ejecución
1) Experiment
[Investigate account lockout behavior of system] Investigate the security features present in the system that may trigger an account lockout
Técnica
- Analyze system documentation to find list of events that could potentially cause account lockout
- Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly
- Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out.
2) Experiment
[Obtain list of user accounts to lock out] Generate a list of valid user accounts to lock out
Técnica
- Obtain list of authorized users using another attack pattern, such as SQL Injection.
- Attempt to create accounts if possible; system should indicate if a user ID is already taken.
- Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.
3) Exploit
[Lock Out Accounts] Perform lockout procedure for all accounts that the attacker wants to lock out.
Técnica
- For each user ID to be locked out, perform the lockout procedure discovered in the first step.
Prerrequisitos
The system has a lockout mechanism.An attacker must be able to reproduce behavior that would result in an account being locked.
Habilidades requeridas
No programming skills or computer knowledge is needed. An attacker can easily use this attack pattern following the Execution Flow above.Recursos requeridos
Computer with access to the login portion of the target systemMitigaciones
Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.When implementing security features, consider how they can be misused and made to turn on themselves.
Debilidades relacionadas
| Nombre de la debilidad | |
|---|---|
CWE-645 |
Overly Restrictive Account Lockout Mechanism The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out. |
Envío
| Nombre | Organización | Fecha | Fecha de lanzamiento |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modificaciones
| Nombre | Organización | Fecha | Comentario |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Attacker_Skills_or_Knowledge_Required | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated Taxonomy_Mappings |
