Password Spraying Attack 🚿

Darshan Jogi
3 min readFeb 1, 2022

--

Hello everyone! πŸŽ‰

I'm Darshan, In this write-up, I am going to discuss a vulnerability that is commonly found, easy to find but less documented, and less discussed.

This meme explains the whole blog

What is a password spraying attack?

A Password Spraying Attack is a type of brute force attack where a malicious attacker attempts the same password on many accounts before moving on to another one and repeating the process. This is effective because many users use simple, predictable passwords.

This Attack is possible when Organization does not implement rate limit protection (brute force protection) on the Username field.

image is From Owasp Blog https://owasp.org/www-community/attacks/Password_Spraying_Attack

Why Attacker will use this technique?

When attacker targets organization, not individual. When Attacker moto is just getting login into the organization no matter with whose account and when the password field is protected with rate-limiting that time Hackers will use this technique.

Lets See how I found this bug

I can't disclose the name of the target because.….

Let's call it Nothing. I mean nothing.com πŸ˜‚.

So nothing.com has a restriction A user can only have 4 login attempts otherwise user will be blocked for 30 minutes

So here is the bug

  1. go to nothing.com
  2. Add any email address
  1. add any most common password eg. password123
  2. capture the request in Burp suite
  3. send the request to the intruder
  4. Select email as an intruding point

5. Select email list as payload

Start Attack

POC:-

In poc Hacker is successfully login into the nothing.com by intruding email address against the common password

Mitigation

Brute force prevention should be on both fields, i.e., Username and Password.

Reference:- https://owasp.org/www-community/attacks/Password_Spraying_Attack

I hope you guys enjoyed reading this write-up and hope you learned something new from this,

follow me on Twitter, LinkedIn, Instagram.

see you in the next bug bounty write-up! πŸ‘‹

--

--