Password Spraying Attack πΏ
Hello everyone! π
I'm Darshan, In this write-up, I am going to discuss a vulnerability that is commonly found, easy to find but less documented, and less discussed.
What is a password spraying attack?
A Password Spraying Attack is a type of brute force attack where a malicious attacker attempts the same password on many accounts before moving on to another one and repeating the process. This is effective because many users use simple, predictable passwords.
This Attack is possible when Organization does not implement rate limit protection (brute force protection) on the Username field.
Why Attacker will use this technique?
When attacker targets organization, not individual. When Attacker moto is just getting login into the organization no matter with whose account and when the password field is protected with rate-limiting that time Hackers will use this technique.
Lets See how I found this bug
I can't disclose the name of the target because.β¦.
Let's call it Nothing. I mean nothing.com π.
So nothing.com has a restriction A user can only have 4 login attempts otherwise user will be blocked for 30 minutes
So here is the bug
- go to nothing.com
- Add any email address
- add any most common password eg. password123
- capture the request in Burp suite
- send the request to the intruder
- Select email as an intruding point
5. Select email list as payload
Start Attack
POC:-
In poc Hacker is successfully login into the nothing.com by intruding email address against the common password
Mitigation
Brute force prevention should be on both fields, i.e., Username and Password.
Reference:- https://owasp.org/www-community/attacks/Password_Spraying_Attack
