A project built using the Django
framework. It features a demo where users can attack various login forms to understand various
security measures. Additionally, the goal of this project is to
encourage users to employ industry standards when designing
applications with user authentication.
Below is an overview of the basic security behind each login form.
- No security. This login form is meant to be completely vulnerable to password spraying attacks.
- In this login form, the approach used in form 1 will not work. This form rate limits client requests. If the number of requests exceed a certain threshold within a minute, the client will no longer be able to send requests to this login form. To bypass this, one could use proxies.
- Basic captchas were introduced in this login form. Once you make a login attempt, you then must solve a captcha before you get the login success status. Given that the logic behind how the captcha's are generated in this form, one could create a script to generate and submit them.
- This login form focuses on locking out users after
x amount
of failed tries as opposed to blocking clients. In situations where this is the only security measure, an attacker might purposely lock out as many accounts as possible.
I have provided several python
scripts that you can try
out to attack each login form. Otherwise, use any tool such as
Burp Suite or John the Ripper.
-
attack.py
: A script that attempts to bypass the security measures in place for each login form. -
monitor.py
: A useful script that will continually monitor updates to the login.log file, which shows the login attempts to each login form. -
proxies.py
: A script that creates 1500 Private IP Addresses which are then used to mimic rotating proxies in order to bypass rate limiting and IP blocking. Note, only works on Linux.
Execute the following command to install the necessary modules.
Note, requirements.txt
is located in the src directory.
pip install -r requirements.txt
To start the web server, execute run the command:
python manage.py runserver
and then navigate to the SecureWeb URL