CAPEC-2
Inducing Account Lockout
Alta
Média
Draft
2014-06-23
00h00 +00:00
00h00 +00:00
2021-06-24
00h00 +00:00
00h00 +00:00
Alerta para um CAPEC
Fique informado sobre quaisquer alterações para um CAPEC específico.
Descrições CAPEC
An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
Informações CAPEC
Fluxo de Execução
1) Experiment
[Investigate account lockout behavior of system] Investigate the security features present in the system that may trigger an account lockout
Técnica
- Analyze system documentation to find list of events that could potentially cause account lockout
- Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly
- Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out.
2) Experiment
[Obtain list of user accounts to lock out] Generate a list of valid user accounts to lock out
Técnica
- Obtain list of authorized users using another attack pattern, such as SQL Injection.
- Attempt to create accounts if possible; system should indicate if a user ID is already taken.
- Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.
3) Exploit
[Lock Out Accounts] Perform lockout procedure for all accounts that the attacker wants to lock out.
Técnica
- For each user ID to be locked out, perform the lockout procedure discovered in the first step.
Pré-requisitos
The system has a lockout mechanism.An attacker must be able to reproduce behavior that would result in an account being locked.
Habilidades Necessárias
No programming skills or computer knowledge is needed. An attacker can easily use this attack pattern following the Execution Flow above.Recursos Necessários
Computer with access to the login portion of the target systemMitigações
Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.When implementing security features, consider how they can be misused and made to turn on themselves.
Fraquezas Relacionadas
| Nome da Fraqueza | |
|---|---|
CWE-645 |
Overly Restrictive Account Lockout Mechanism The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out. |
Submissão
| Nome | Organização | Data | Data de lançamento |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modificações
| Nome | Organização | Data | Comentário |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Attacker_Skills_or_Knowledge_Required | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated Taxonomy_Mappings |
