Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

LAB: Broken brute-force protection, multiple credentials per request

Jules | Last updated: Jan 28, 2023 10:12PM UTC

hi team, my question here is not strictly related to how to solve the lab, but rather I'm trying to understand how things are implemented under the hood. My learning approach usually involves understanding how things go because I don't have a good memory and therefore the only way I have to fix a concept is to understand exactly how something was built. (and eventually reproduce it) Having said that I don't think the lab is difficult, there are enough hints to understand how it should be solved. But in my case I feel like I guessed the solution, but I can't explain why. Then i'm wondering if the lab is reproducing a realistic case or we are just talking about dedicated ctf stuff? Could I encounter such a situation in the real world? I imagine password validation as an equality check or something similar..Why should a developer validate the input against an array? The thing is not clear to me, and I hope somebody could help me to understand or just provide some example of what kind of typical pattern is behind it? thank you

nyb1e | Last updated: Feb 24, 2023 07:32PM UTC

I am curious as well, the only explanation that i can come up with is a developer that is carelessly missusing his ORM-library resulting in something like try: user = users.find('xxx') return user.getField('password').is_in(<json_payload:password>) # instead of ...('password').is_eq(<json_payload:password>) except: # user_not_found_error

Liam, PortSwigger Agent | Last updated: Feb 27, 2023 10:27AM UTC

Hi Jules, nyb1e Most vulnerabilities in authentication mechanisms arise in one of two ways: The authentication mechanisms are weak because they fail to protect against brute-force attacks adequately. Logic flaws or poor coding in the implementation allow the authentication mechanisms to be bypassed entirely by an attacker. This is sometimes referred to as "broken authentication." Logic flaws and poor coding can occur in various ways; we believe this lab provides a representative example. Please let us know if you need any further assistance.

godojo | Last updated: Jun 15, 2023 06:13PM UTC

yeah this lab shouldn't be graded as Expert as there was no reason just to compare the password against whole array.

godojo | Last updated: Jun 15, 2023 06:13PM UTC