Sunday 1 December 2013

Facebook Brute Force Attack Vulnerability

Welcome back all l33ts :-)

Today i am going to show you that how i got Brute Force Attack Vulnerability in Facebook "Facebook Brute Force" Attack Vulnerability ( Reported On 11-4-2013 ) 

first we have to know that what is Brute force attack vulnerability 

According to OWASP  

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. If your web site requires user authentication, you are a good target for a brute-force attack etc. :-)

So lets move to the interesting part

I didnt feel any problem while finding brute force attack vulnerability on facebook :-)

i just intercept the log in request in burp suite and tried 100 attempts on log in panel 

response was pretty good for me 

200 Response Code For Invalid Login Attempt

( Click Image For Large Preview ) 

302 Response Code For Valid Login Attempt

( Click Image For Large Preview ) 

As you saw that i got Response 200 for Invalid Login Attempt & 302 Response Code For Valid Login Attempt with Session Cookies & Redirected URL TO Because when user successfully authenticate him self then he redirected to

As i always said that Facebook Security Team Is Just Like A Girl..When A Boy Propose To Girl Then She Replied That I Will Think About This After 7 Days & Will Get Back To You Within A Month :-)

So Facebook replied me after 2 weeks as he always do for many bug hunter & said that we cant consider this vulnerability as a security issue .

I replied them with 1000 attempts them that i am also able to perform attempts more than 1000 but didnt got any reply from their side :-( 



Now if you will test this same attack on facebook then you will block after 10 attempts for 1 hour lol =D :-)


Please Like And Share It  & Ask Your Friends For Like Us On Facebook :-)

Comments Are Always Welcome :-)


No comments:

Post a Comment