Andres Riancho Account Log out

Ticket #160065 (new defect)

Opened 69 seconds ago

formAuthBruteforce: Once a password is found, cookies are re-used and false positives are found

Reported by: andresriancho Owned by: andresriancho
Priority: major Milestone: 1.0
Component: w3af-plugins Version:
Keywords: Cc:

Description

Once a valid password is found, cookies are re-used and false positives are found:

Found authentication credentials to: "http://127.0.0.1/chek/index.php". The correct password is: "vetal". This vulnerability was found in the request with id 100.
POST http://127.0.0.1/chek/index.php with data: "passwd=123p4ss" returned HTTP code "200" - id: 101
No grep for : http://127.0.0.1/chek/index.php , the plugin sent grepResult=False.
POST http://127.0.0.1/chek/index.php with data: "passwd=1q2w3e" returned HTTP code "200" - id: 102
No grep for : http://127.0.0.1/chek/index.php , the plugin sent grepResult=False.
Found authentication credentials to: "http://127.0.0.1/chek/index.php". The correct password is: "1q2w3e". This vulnerability was found in the request with id 102.
POST http://127.0.0.1/chek/index.php with data: "passwd=passwd" returned HTTP code "200" - id: 103
No grep for : http://127.0.0.1/chek/index.php , the plugin sent grepResult=False.
Found authentication credentials to: "http://127.0.0.1/chek/index.php". The correct password is: "passwd". This vulnerability was found in the request with id 103.
POST http://127.0.0.1/chek/index.php with data: "passwd=a5dd5a" returned HTTP code "200" - id: 104
No grep for : http://127.0.0.1/chek/index.php , the plugin sent grepResult=False.
Found authentication credentials to: "http://127.0.0.1chek/index.php". The correct password is: "a5dd5a". This vulnerability was found in the request with id 104.

Attachments

Add/Change #160065 (formAuthBruteforce: Once a password is found, cookies are re-used and false positives are found)


Change Properties
Action
as new
as The resolution will be set. Next status will be 'closed'
to The owner will change from andresriancho. Next status will be 'assigned'
Next status will be 'accepted'
Note: See TracTickets for help on using tickets.