CAPEC-2 - Inducing Account Lockout

An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 3
  • API Abuse
  • Flooding
  • Brute Force
  • Scopes 1
  • DoS: resource consumption (other)
  • Availability

Low level:

The system has a lockout mechanism.

An attacker must be able to reproduce behavior that would result in an account being locked.

Computer with access to the login portion of the target system

Step 1 - Investigate account lockout behavior of system

Investigate the security features present in the system that may trigger an account lockout.

Tecnique ID: 1 - Environment(s) env-Web env-ClientServer env-Local env-Embedded

Analyze system documentation to find list of events that could potentially cause account lockout

Tecnique ID: 2 - Environment(s) env-Web env-ClientServer env-Local env-Embedded

Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly

Tecnique ID: 3 - Environment(s) env-Web env-ClientServer env-Local env-Embedded

Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out.

Indicator ID: 1 - Environment(s) env-Web env-ClientServer env-Local env-Embedded

Type: Positive

System provides error message stating that account being attacked is locked out.

Indicator ID: 2 - Environment(s) env-Web env-ClientServer env-Local env-Embedded

Type: Positive

After a certain number of login attempts with a given user ID, the amount of time it takes for system to respond to further login attempts changes noticeably.

Indicator ID: 3 - Environment(s) env-Web env-ClientServer env-Local env-Embedded

Type: Negative

System has no automatic signup mechanism, and system provides no indication as to whether the attacker is entering incorrect credentials or the account is locked out during the login process.


Security Control ID: 1

Type: Detective

Repeated failed login attempts in application/system logs.

Security Control ID: 2

Type: Preventative

Do not provide any indication to users that their accounts are locked out. Provide a simple error message such as: "Login failed. Try again or contact your administrator" regardless of why a login attempt fails.


Outcome ID: 1

Type: Success

Attacker determines at least one way to lock out accounts.

Outcome ID: 2

Type: Failure

System provides no indication that account lockouts are possible


Step 2 - Obtain list of user accounts to lock out

Generate a list of valid user accounts to lock out.

Tecnique ID: 1 - Environment(s) env-Web env-ClientServer env-Local env-Embedded

Obtain list of authorized users using another attack pattern, such as SQL Injection.

Tecnique ID: 2 - Environment(s) env-Web env-ClientServer env-Local env-Embedded

Attempt to create accounts if possible; system should indicate if a user ID is already taken.

Tecnique ID: 3 - Environment(s) env-Web env-ClientServer env-Local env-Embedded

Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.

Indicator ID: 1 - Environment(s) env-Web env-ClientServer env-Local env-Embedded

Type: Positive

System indicates which user IDs are valid and which are not to unauthenticated users.


Security Control ID: 1

Type: Preventative

Avoid providing any indication regarding the validity of user IDs upon failed login attempts. Provide a simple error message such as: "Login failed. Try again or contact your administrator" regardless of why a login attempt fails.


Outcome ID: 1

Type: Success

Attacker gathers list of user IDs

Outcome ID: 2

Type: Inconclusive

Attacker is unable to gather list of valid user IDs; attacker may still be able to lock out accounts by blindly guessing user IDs and performing a lockout procedure with each one.



Step 1 - Lock Out Accounts

Perform lockout procedure for all accounts that the attacker wants to lock out..

Tecnique ID: 1 - Environment(s) env-Web env-ClientServer env-Local env-Embedded

For each user ID to be locked out, perform the lockout procedure discovered in the first step.

Indicator ID: 1 - Environment(s) env-Web env-ClientServer env-Local env-Embedded

Type: Positive

Success outcome in first step

Indicator ID: 2 - Environment(s) env-Web env-ClientServer env-Local env-Embedded

Type: Negative

Failure outcome in first step


Outcome ID: 1

Type: Success

Amount of work required by an attacker to lock out a large number of accounts is at least an order of magnitude smaller than the amount of work required to unlock the accounts thereafter.

Outcome ID: 2

Type: Failure

The large amount of work required by an attacker to lock out a large number of accounts makes this an unattractive attack.



Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.

When implementing security features, consider how they can be misused and made to turn on themselves.