Tuesday, 26 August 2014

Pagely Brute Force Mitigation Bypass

A while back I was looking at one of Facebook's acquisitions, Onavo, and came across their blog which was using a Wordpress install managed by Pagely. While testing for ways to brute force the login page I discovered a brute force mitigation bypass that not only affected Onavo but also every other Pagely protected site :)


Detect Wordpress? Look for wp-login.php

Wordpress is pretty common and actually pretty secure these days. One area that still needs some work though is protection for the default login page wp-login.php. Most installations leave this page publicly exposed and a lot do not implement the recommended brute force mitigations here:

http://codex.wordpress.org/Brute_Force_Attacks

Onavo took the easy approach and used Pagely. Pagely offer managed security which in theory should mean you are more secure...


Testing for bruteforce

So let's try and brute force Onavo's wp-login page.


You can see after only a few requests we start getting redirected (302). This redirection actually takes you to a Pagely captcha page.



The magical "pagelyvalid" cookie

I was curious how they implemented the verification once past the captcha so took a look at the response and saw that the captcha check just set a cookie called "pagelyvalid" to true. Hmmm. Lets try our brute force attack again but this time including the magical pagelyvalid cookie.



Lots of 200's. So simply including the pagelyvalid true cookie we can bypass the Pagely brute force mitigation and guess passwords night and day. And like I said at the start this didn't just affect Onavo but every site that used the Pagely service. Yikes!


Final Thoughts

A lot of sites miss brute force mitigations and rate limiting in general. Third parties can offer a quick fix but it's important to remember you are trusting your security to that third party and assuming they will do a good job (which isn't always the case!).

Both Facebook and Pagely responded reasonably quickly (the Pagely CEO even sent me a message!) and a fix has now been deployed. Hope you guys found this interesting, as usual if you have questions or suggestions just drop me a comment below.

Pwndizzle out

Posted by at
Labels: , , ,

14 comments:

  1. Unknown29 August 2014 at 23:56

    So, how much did they pay you bro?

    ReplyDelete
  2. PwnDizzle30 August 2014 at 09:43

    Pagely don't operate a bounty program so there was no reward from them. However as this was a Facebook site Facebook paid the minimum bounty.

    ReplyDelete
  3. Carol J. Lacy1 July 2019 at 06:58

    I enjoyed reading your post thanks for sharing it,
    clipping path service|Background Removal service|Vector Tracing

    ReplyDelete
  4. Call Girls Kolkata27 February 2020 at 09:39

    Such a nice blog you have shared here. Thanks for sharing about this with us.
    Please visit Call Girls in Kolkata to know why The Call girls in Kolkata are known for their dusky and fair skin tone and you can take the service from any of them according to your wish.

    Call girls Kolkata
    kolkata call girls
    independent call girls in kolkata
    high profile call girls in kolkata
    escorts in kolkata
    photo of call girls in kolkata
    call girl services in kolkata
    top class Kolkata call girls
    air hostess escorts in kolkata
    college escorts in kolkata
    Kolkata call girls gallery
    Photo Gallery of Kolkata Call Girls


    ReplyDelete
  5. john28 April 2020 at 15:57

    پازل بند
    مهراد جم
    ناصر زینعلی
    گرشا رضایی

    ReplyDelete
  6. Jatin Sethi13 May 2020 at 10:27

    After rehab is finished follow up care is frequently suggested. Since it just helps break the underlying compulsion, guiding and even follow up drug rehab administrations are suggested for people with interminable fixation or history of past dependence preceding drug rehab. Most rehab focuses offer a type of guiding and catch up that is done as an outpatient, which permits the individual an opportunity to return society, yet at the same time under the immediate management of a drug rehab instructor
    inspirational quotes for addiction
    overcoming addiction quotes



    ReplyDelete
  7. michael4 October 2020 at 07:03

    yespornplease
    yespornplease
    yespornplease

    ReplyDelete
  8. Josh17 December 2020 at 04:49

    school administration software
    smart school management system
    school database management system
    education erp software
    school erp system
    smart school software

    ReplyDelete
  9. searchkarlo30 January 2021 at 07:01

    canon g2000 error 5b00

    error 5b00 canon g2000

    5b00 error

    canon 5b00 error

    canon support code 5b00

    5b00 error

    ReplyDelete
  10. loolog20 February 2021 at 09:56

    hotmail inlog

    ReplyDelete
  11. Easy Loan Mart10 December 2021 at 07:41

    Hi...
    Today I want to help you bolster your website's security against the most common type of security breach: brute force attacks.
    You are also read more
    Personal Loan in India

    ReplyDelete
  12. periyannan4 February 2022 at 08:44

    Interesting stuff to read and useful to improve knowledge.
    Keep posting.

    evs full form
    raw agent full form
    full form of tbh in instagram
    dbs bank full form
    https full form
    tft full form
    pco full form
    kra full form in hr
    tbh full form in instagram story
    epc full form

    ReplyDelete
  13. Shanthi Cabs15 March 2022 at 07:23

    Impressive!Thanks for the post
    Best Travel Agency in Madurai | Travels in Madurai
    Madurai Travels | Best Travels in Madurai
    Tours and Travels in Madurai | Best Tour Operators in Madurai

    ReplyDelete

Subscribe to: Post Comments (Atom)