CAPEC-2
Inducing Account Lockout
High
Medium
Draft
2014-06-23
00h00 +00:00
00h00 +00:00
2021-06-24
00h00 +00:00
00h00 +00:00
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Descriptions CAPEC
An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
Informations CAPEC
Execution Flow
1) Experiment
[Investigate account lockout behavior of system] Investigate the security features present in the system that may trigger an account lockout
Technique
- Analyze system documentation to find list of events that could potentially cause account lockout
- Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly
- Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out.
2) Experiment
[Obtain list of user accounts to lock out] Generate a list of valid user accounts to lock out
Technique
- Obtain list of authorized users using another attack pattern, such as SQL Injection.
- Attempt to create accounts if possible; system should indicate if a user ID is already taken.
- Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.
3) Exploit
[Lock Out Accounts] Perform lockout procedure for all accounts that the attacker wants to lock out.
Technique
- For each user ID to be locked out, perform the lockout procedure discovered in the first step.
Prerequisites
The system has a lockout mechanism.An attacker must be able to reproduce behavior that would result in an account being locked.
Skills Required
No programming skills or computer knowledge is needed. An attacker can easily use this attack pattern following the Execution Flow above.Resources Required
Computer with access to the login portion of the target systemMitigations
Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.When implementing security features, consider how they can be misused and made to turn on themselves.
Related Weaknesses
| Weakness Name | |
|---|---|
CWE-645 |
Overly Restrictive Account Lockout Mechanism The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out. |
Submission
| Name | Organization | Date | Date release |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Attacker_Skills_or_Knowledge_Required | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated Taxonomy_Mappings |
2025©
tesweb SA
