Sunday, 1 December 2013

Facebook Brute Force Attack Vulnerability





Welcome back all l33ts :-)

Today i am going to show you that how i got Brute Force Attack Vulnerability in Facebook "Facebook Brute Force" Attack Vulnerability ( Reported On 11-4-2013 ) 

first we have to know that what is Brute force attack vulnerability 

According to OWASP  

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. If your web site requires user authentication, you are a good target for a brute-force attack etc. :-)

So lets move to the interesting part


I didnt feel any problem while finding brute force attack vulnerability on facebook :-)

i just intercept the log in request in burp suite and tried 100 attempts on log in panel 

response was pretty good for me 


200 Response Code For Invalid Login Attempt



( Click Image For Large Preview ) 


302 Response Code For Valid Login Attempt


( Click Image For Large Preview ) 



As you saw that i got Response 200 for Invalid Login Attempt & 302 Response Code For Valid Login Attempt with Session Cookies & Redirected URL TO facebook.com. Because when user successfully authenticate him self then he redirected to facebook.com




As i always said that Facebook Security Team Is Just Like A Girl..When A Boy Propose To Girl Then She Replied That I Will Think About This After 7 Days & Will Get Back To You Within A Month :-)

So Facebook replied me after 2 weeks as he always do for many bug hunter & said that we cant consider this vulnerability as a security issue .

I replied them with 1000 attempts them that i am also able to perform attempts more than 1000 but didnt got any reply from their side :-( 


====================================================================

Update 

Now if you will test this same attack on facebook then you will block after 10 attempts for 1 hour lol =D :-)

==================================================================

Please Like And Share It  & Ask Your Friends For Like Us On Facebook :-)





Comments Are Always Welcome :-)

================================

No comments:

Post a Comment

Featured post

Pentesting Node.js Application : Nodejs Application Security

Pentesting Node.js Application : Nodejs Application Security Hello folks, Today we will see how we can do Pentesting Of NodeJS Appli...

Popular Posts