The user login page doesn't implement any form of rate-limiting Web Agent
search cancel

The user login page doesn't implement any form of rate-limiting Web Agent

book

Article ID: 218667

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

 

Some may receive recommendations from the IT Security team to have rate-limiting enabled for login pages.

###Summary:

As a best practice, a login page should have a rate-limiting.

###Vulnerable URL:

https://_host._domain._com/login/login.fcc

###Steps To Reproduce:

  1. Tamper login page and send the request to Burp Intruder;ç
  2. Configure the payloads;
  3. Start the Burp Intruder;

###Impact:

An attacker can freely Bruteforce any username and can take over any account (1).

 

Environment

 

CA Access Gateway (SPS) all versions;
Web Agent all versions;

 

Resolution

 

Implement a password policy with the authentication scheme and user directory.

Then the control of the max attempts with the wrong password for a given user will be possible.

 

Additional Information

 

(1)

    User login page doesn't implement any form of rate limiting
    

Powered by Wolken Software