Description

Twake does not limit unsuccessfull login attempts allowing an attacker to brute force the password of an administrator or regular user.

Proof of Concept

Steps to reproduce Because Twake does not rate limit authentication attempts an attacker could either bruteforce both the login and password. However in a real world scenario we would liekly see an attacker either create an account and enumerate users or leverage a compromised account to obtain a user list.

Then a malicious actor would capture the login request with Burpsuite

Send the request to Intruder

Replay the login request with a different password value utilziing a password list payload such as rockyou.txt

Should the correct password be tried, a 200 OK response is returned

Incorrect attempts are returned with a 404 Unauthorized

Burpsuite will continue attempting all passwords in the password list until it is complete

Burpuite Replay:

POST /internal/services/console/v1/login HTTP/1.1
Host: 127.0.0.1:3000
Content-Length: 77
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json
Content-Type: application/json
sec-ch-ua-mobile: ?0
Authorization: Bearer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: http://127.0.0.1:3000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:3000/login
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: lhc_vid=6329efff387471209bb0
Connection: close

{"email":"admin@localhost.com","password":"adminadmin","remember_me":true,"device":{}}

Impact

The impact is unlimited password attempts leading to Brute Force attacks on the login page. Should this application be hosted on a website it may also lead to a Denial of Service.