Forum Discussion

RealGame_122486's avatar
RealGame_122486
Icon for Nimbostratus rankNimbostratus
Jun 01, 2013

BruteForce Protection On Redirection Page

Hi all,

 

 

I made vulnerable application (HackMe Credit) and i'm trying to protect it.

 

If you want to see its code:

 

Google Code Page: https://code.google.com/p/hackmecredit/

 

This is the login page functionality:

 

The login is in every page like master page in asp.net,

 

when some one put username and password he is sending the details with post request to "pages/signin.jsp" then this page put error or user_id and user full name in the session and redirecting to index page ("page=homepage").

 

this is example of the traffic:

 

REQUEST:

 

POST /pages/signin.jsp HTTP/1.1

 

Host: 172.16.32.100

 

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0

 

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

 

Accept-Language: en-US,en;q=0.5

 

Accept-Encoding: gzip, deflate

 

Referer: http://172.16.32.100/index.jsp?page=homepage

 

Cookie: JSESSIONID=ADBC27543A4C30CB516734A88E58CCC1

 

 

user=yossi&pass=4297f44b13955235245b2497399d7a93&signin=signin

 

RESPONSE:

 

HTTP/1.1 302 Found

 

Server: Apache-Coyote/1.1

 

Location: http://172.16.32.100/index.jsp?page=homepage

 

Then if the password is wrong in the response of "/index.jsp?page=homepage": forgot your password?

 

I know its not easy to solve thanks.

 

 

app sec
BIG-IP Access Policy Manager (APM)
security

2 Replies

Sort By
  • George_33482's avatar
    George_33482
    Icon for Nimbostratus rankNimbostratus
    Jun 10, 2014

    Hello,

     

    I am facing almost the same issue with more complications. Have you solved the issue of brute force above if redirection is being triggered?

     

    Thanks, George