Suprisingly easy CGI dictionary attack...
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Suprisingly easy CGI dictionary attack...

  1. #1
    Junior Member
    Join Date
    Aug 2003
    Posts
    11

    Suprisingly easy CGI dictionary attack...

    Before reading, please know that my intent is not malicious. I seek only to point out the poor security of many CGI login forms.

    I recently wrote a simple batch file that ultilized cURL to carry out a limited dictionary attack on a CGI program. If anyone is unfamiliar with this, cURL is basically a command line tool for making HTTP, FTP, etc requests. I used 2,000 common passwords. It was suprisingly easy, and could be summed up in one line:

    FOR %%pass IN (list) DO CURL -d "username=username&password=%%pass" site.com/cgiprogram>>results.html

    I tested it out on a smaller scale on my own account on one of the various webservices I use, and suprisingly, it worked. It scares me that with my limited experience in programming, I was still able to do this. It's also alarming that many sites still have unlimited login attempts.
    Everything Turns Grey!

  2. #2
    Banned
    Join Date
    Jun 2005
    Posts
    445
    Ok... what exactly is wrong with this post?

    It does not in any way deserve the bashing it has apparently recieved.


    Shame on y'all.


    If you have a problem with this, say something. Defend your position in the public forum, not behind a facade of APs.

  3. #3
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    Ok, I'll say something publicly that I told the OP in private - why I was the 2nd to neg him, and his thread:

    Talking about the issue is fine. Giving the 'how to' is NOT. Read page 1 of AO titled 'What AntiOnline IS'
    For my reasons on negging the thread too, read why for yourself.

    now was that such an issue that you had to bring this thread back to the top where he'll get negged further?
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  4. #4
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    Well, I gave the guy some positive AP's. Although giving a 'how to' can be used for malicious purposes, it can also be used to help educate us on how to defend against it. By showing us an example of the code, we can at least begin to understand how the attack works.
    Basically what blithendell did, was warn all of us how this potential attack is structured. I see nothing wrong with that.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  5. #5
    Junior Member
    Join Date
    Aug 2003
    Posts
    11
    Did I miss something? Where was the bashing of the thread?
    Everything Turns Grey!

  6. #6
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Ice:
    I'm usually in agreement with you on most stuff but I disagree with you here. I dont have a problem with the posting...I see it as an educational/pen-testing help.

    It's stuff like this, sharing of code/techniques, that makes this site more of a security site.

    Maybe I'm just in a good mood right now. dunno

  7. #7
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    no big ric-o, I shut my head after getting balanced anyway. Maybe I was in a pissy mood. Who knows? Who cares? :P
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  8. #8
    Howdy.

    Very interesting find there blithendell.
    It's amazing how taking the simplest route can get you similar results..


    cheers
    front2back

  9. #9
    Senior Member
    Join Date
    Dec 2003
    Location
    Texas
    Posts
    158

    how we learn

    how we learn is reading stuff like this , you cant fix something unless you know how it got broken in the first place, it looks like to me he was showing an example rather than giving a step by step howto
    im a Steve Wozniak in a bill gates world

  10. #10
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Well,

    The actual method is trivial, in that all it basically does is automate an iterative process. It is neither rocket science nor malicious per say IMO. After all you could sit in front of the screen with the list and key them in manually couldn't you?

    There are two basic issues raised:

    1. Don't use dictionary words, common passwords or default passwords (even if the default is for something entirely different), as they are likely to be on the list.

    I would say that this is pretty much common knowledge amongst people who visit security sites.

    2. Some sites have unlimited login attempts.

    Now that is one for concern, as you may have already comitted private information before you find this out? and you may not be able to close the account of your own accord?

    This emphasises the need for a long and strong password if you wish to use such sites. I know there are those who think that long passwords are actually a security problem, but they don't have to be.

    Say you chose Password..................not a very good choice, so let's say it is pa$$W0rd and this is your "core" all you need to do is pack it out a bit:

    wXyZpa$$W0rd9876 ................. then a bit more................ [wXyZpa$$W0rd9876$]

    Now that would be impossible for a dictionary attack over the internet, and is quite easy to remember because it is modular in construction. As it is 20 characters it would even defeat most rainbow tables that are readily available or constructable.

    But, at the end of the day the solution is for the site to allow 3~5 attempts then drop the connection and lock the account for a period. In that situation the probability of finding even a 6 character pass is well nigh zero.

    Another mitigating factor in these sorts of attack is that they are over the internet, and effectively require you to fill out and submit a "form" for validation. That is one hell of a slow process

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides