Overview: A library raised the following issue after having several users rendered inactive due to invalid credential attempts. Please note that identifying information has been anonymized for this ticket submission:
A system which has a publicly accessible log-in page and permanently locks an account after failed authentication attempts is vulnerable to a denial-of-service attack, which is aggravated if that system doesn't have source-based rate-limiting. To estimate our vulnerability, I created and set passwords for 10,000 test accounts in [a] test FOLIO instance. Then I hastily put together and executed a command to lock those accounts: It locked all 10,000 in less than twenty minutes.
- Our production FOLIO instance has [tens of thousands of] active accounts.
- To approximate the abilities of a mischievous freshman, I gave
myself ten minutes to come up with this: I used my browser's
debugger to capture the form submission at the log-in page as a
Curl command and saved that as a script with the username
parameterized such that:
would make one failed attempt to log in to my account. I then
cat users users users users users |
xargs parallel-moreutils -j 100 \
Our hypothetical freshman wouldn't have trouble getting a nearly
complete list of real usernames to use, since anyone on [the university's]
network can retrieve a list of campus usernames from [the university's]
directory server or several other sources.