Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-2:Inducing Account Lockout
Attack Pattern ID:2
Version:v3.9
Attack Pattern Name:Inducing Account Lockout
Abstraction:Standard
Status:Draft
Likelihood of Attack:High
Typical Severity:Medium
DetailsContent HistoryRelated WeaknessesReports
▼Description
An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
▼Extended Description
▼Alternate Terms
▼Relationships
NatureTypeIDName
ChildOfM212Functionality Misuse
Nature: ChildOf
Type: Meta
ID: 212
Name: Functionality Misuse
▼Execution Flow
Exploit
1.

Lock Out Accounts

Perform lockout procedure for all accounts that the attacker wants to lock out.

Technique
For each user ID to be locked out, perform the lockout procedure discovered in the first step.
Experiment
1.

Investigate account lockout behavior of system

Investigate the security features present in the system that may trigger an account lockout

Technique
Analyze system documentation to find list of events that could potentially cause account lockout
Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly
Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out.
2.

Obtain list of user accounts to lock out

Generate a list of valid user accounts to lock out

Technique
Obtain list of authorized users using another attack pattern, such as SQL Injection.
Attempt to create accounts if possible; system should indicate if a user ID is already taken.
Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.
▼Prerequisites
The system has a lockout mechanism.
An attacker must be able to reproduce behavior that would result in an account being locked.
▼Skills Required
Low

No programming skills or computer knowledge is needed. An attacker can easily use this attack pattern following the Execution Flow above.

▼Resources Required
Computer with access to the login portion of the target system
▼Indicators
▼Consequences
ScopeLikelihoodImpactNote
AvailabilityN/AResource ConsumptionDenial of Service
Scope: Availability
Likelihood: N/A
Impact: Resource Consumption
Note: Denial of Service
▼Mitigations
Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.
When implementing security features, consider how they can be misused and made to turn on themselves.
▼Example Instances
▼Related Weaknesses
IDName
CWE-645Overly Restrictive Account Lockout Mechanism
ID: CWE-645
Name: Overly Restrictive Account Lockout Mechanism
▼Taxonomy Mappings
Taxonomy NameEntry IDEntry Name
ATTACK1531Account Access Removal
Taxonomy Name: ATTACK
Entry ID: 1531
Entry Name: Account Access Removal
▼Notes
▼References
Details not found