[題目]
The purpose of this challenge is to demonstrate password guessing attacks. are made possible by MITRE Top 25 programming flaws such as:.
The developers of the application have created an administration account to manage different configurations of the application. For convenience the password was hard-coded in the JSP file. The password for the admin user also happens to be an insecure password. One of the top 10 most insecure passwords.
[題目說明]
這一題很單純是要我們用密碼猜測攻擊去猜測使用者帳號密碼,如果網站未做出限制猜測行為的動作,hacker將可能猜到目標使用者的密碼。
[弱點提示]
The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.
From MITRE CWE307 - Improper Restriction of Excessive Authentication Attempts
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
From MITRE CWE798 - Use of Hard-coded Credentials
如果應用程式未實作適當的阻擋機制防止hacker無限制次數的猜測使用者密碼,就有可能被使用者破解使用者帳密成功,同時使用者不應該使用最常見的簡單密碼,以下是top 10 常見被猜測成功密碼:
[解答]
- 進入網頁: https://abc.xxx.elasticbeanstalk.com/cwe307
- 用TOP 10常見被破解密碼猜測密碼,直到成功為止。(iloveyou)
[安全原理]
使用者帳號應該避免使用簡單或容易被猜測的密碼,且應用程式應該做適度的密碼輸入錯誤次數的阻擋以防止密碼猜測攻擊。
2019年2月20日星期三
留言列表
