RealGame_122486
Jun 01, 2013Nimbostratus
BruteForce Protection On Redirection Page
Hi all,
I made vulnerable application (HackMe Credit) and i'm trying to protect it.
If you want to see its code:
Google Code Page: https://code.google.com/p/hackmecredit/
This is the login page functionality:
The login is in every page like master page in asp.net,
when some one put username and password he is sending the details with post request to "pages/signin.jsp" then this page put error or user_id and user full name in the session and redirecting to index page ("page=homepage").
this is example of the traffic:
REQUEST:
POST /pages/signin.jsp HTTP/1.1
Host: 172.16.32.100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.32.100/index.jsp?page=homepage
Cookie: JSESSIONID=ADBC27543A4C30CB516734A88E58CCC1
user=yossi&pass=4297f44b13955235245b2497399d7a93&signin=signin
RESPONSE:
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location: http://172.16.32.100/index.jsp?page=homepage
Then if the password is wrong in the response of "/index.jsp?page=homepage": forgot your password?
I know its not easy to solve thanks.