You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 6, 2021. It is now read-only.
Dear sir,
I'm Ayush Jhanwar, I'm a cybersecurity analyst and I found a bug on your subdomain. Here are the required details.
TITLE: ACCOUNT TAKEOVER BY BRUTEFORCE LOGIN PANEL..
Vulnerability type: Bruteforce(CWE-307)
Subdomain : https://github.com/session
Bruteforce login panel to take over the account using Burpsuite.
DESCRIPTION:
A brute force attack can manifest itself in many different ways, but primarily consists in an attacker configuring predetermined values, making requests to a server using those values, and then analyzing the response. For the sake of efficiency, an attacker may use a dictionary attack (with or without mutations) or a traditional brute-force attack (with given classes of characters e.g.: alphanumeric, special, case (in)sensitive). Considering a given method, number of tries, efficiency of the system which conducts the attack, and estimated efficiency of the system which is attacked the attacker is able to calculate approximately how long it will take to submit all chosen predetermined values.
REPRODUCTION:
STEP 1 : Found Subdomain https://github.com/session
STEP 2: Create an Account on github to connect login page (https://github.com/session)
STEP 3: Try to Bruteforce on the Login panel using Burpsuite.
STEP 4 : Then I founded a different length factor of my 'CORRECT PASSWORD'.
IMPACT:
Stealing personal data and valuable Information.
All it takes is the right break-in for a criminal to steal your identity, money, or sell your private credentials for profit. Sometimes, sensitive databases from entire organizations can be exposed in corporate-level data breaches. The attacker can delete a user data and other information .
RECOMMENDATION:
Apply "RATE LIMIT" on the login panel, such that the Attacker will be blocked to try more passwords after a certain time limit...
For, more detailed analysis of vulnerability(BUG) I have attached screenshots below of exploiting the vulnerability.
i.e PROOF OF CONCEPT
The text was updated successfully, but these errors were encountered:
It only went through 6 passwords before reaching yours which was listed in your dictionary, not really something to worry about I think.
Maybe try again with a longer list or the traditional way.
Dear sir,
I'm Ayush Jhanwar, I'm a cybersecurity analyst and I found a bug on your subdomain. Here are the required details.
Vulnerability type: Bruteforce(CWE-307)
Subdomain : https://github.com/session
Bruteforce login panel to take over the account using Burpsuite.
DESCRIPTION:
REPRODUCTION:
IMPACT:
Stealing personal data and valuable Information.
All it takes is the right break-in for a criminal to steal your identity, money, or sell your private credentials for profit. Sometimes, sensitive databases from entire organizations can be exposed in corporate-level data breaches. The attacker can delete a user data and other information .
RECOMMENDATION:
For, more detailed analysis of vulnerability(BUG) I have attached screenshots below of exploiting the vulnerability.
i.e PROOF OF CONCEPT
The text was updated successfully, but these errors were encountered: