Tuesday 26 August 2014

Pagely Brute Force Mitigation Bypass

A while back I was looking at one of Facebook's acquisitions, Onavo, and came across their blog which was using a Wordpress install managed by Pagely. While testing for ways to brute force the login page I discovered a brute force mitigation bypass that not only affected Onavo but also every other Pagely protected site :)

Detect Wordpress? Look for wp-login.php

Wordpress is pretty common and actually pretty secure these days. One area that still needs some work though is protection for the default login page wp-login.php. Most installations leave this page publicly exposed and a lot do not implement the recommended brute force mitigations here:


Onavo took the easy approach and used Pagely. Pagely offer managed security which in theory should mean you are more secure...

Testing for bruteforce

So let's try and brute force Onavo's wp-login page.

You can see after only a few requests we start getting redirected (302). This redirection actually takes you to a Pagely captcha page.

The magical "pagelyvalid" cookie

I was curious how they implemented the verification once past the captcha so took a look at the response and saw that the captcha check just set a cookie called "pagelyvalid" to true. Hmmm. Lets try our brute force attack again but this time including the magical pagelyvalid cookie.

Lots of 200's. So simply including the pagelyvalid true cookie we can bypass the Pagely brute force mitigation and guess passwords night and day. And like I said at the start this didn't just affect Onavo but every site that used the Pagely service. Yikes!

Final Thoughts

A lot of sites miss brute force mitigations and rate limiting in general. Third parties can offer a quick fix but it's important to remember you are trusting your security to that third party and assuming they will do a good job (which isn't always the case!).

Both Facebook and Pagely responded reasonably quickly (the Pagely CEO even sent me a message!) and a fix has now been deployed. Hope you guys found this interesting, as usual if you have questions or suggestions just drop me a comment below.

Pwndizzle out


  1. So, how much did they pay you bro?

  2. Pagely don't operate a bounty program so there was no reward from them. However as this was a Facebook site Facebook paid the minimum bounty.

  3. After rehab is finished follow up care is frequently suggested. Since it just helps break the underlying compulsion, guiding and even follow up drug rehab administrations are suggested for people with interminable fixation or history of past dependence preceding drug rehab. Most rehab focuses offer a type of guiding and catch up that is done as an outpatient, which permits the individual an opportunity to return society, yet at the same time under the immediate management of a drug rehab instructor
    inspirational quotes for addiction
    overcoming addiction quotes

  4. Hi...
    Today I want to help you bolster your website's security against the most common type of security breach: brute force attacks.
    You are also read more
    Personal Loan in India