CAPEC-2 Inducing Account Lockout – Attack Pattern Analysis

CAPEC-2 Metadata

Likelihood of Attack

High

Typical Severity

Medium

Overview

Summary

An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.

Prerequisites

The system has a lockout mechanism. An attacker must be able to reproduce behavior that would result in an account being locked.

Execution Flow

Step	Phase	Description	Techniques
1	Experiment	[Investigate account lockout behavior of system] Investigate the security features present in the system that may trigger an account lockout	Analyze system documentation to find list of events that could potentially cause account lockout Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out.
2	Experiment	[Obtain list of user accounts to lock out] Generate a list of valid user accounts to lock out	Obtain list of authorized users using another attack pattern, such as SQL Injection. Attempt to create accounts if possible; system should indicate if a user ID is already taken. Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.
3	Exploit	[Lock Out Accounts] Perform lockout procedure for all accounts that the attacker wants to lock out.	For each user ID to be locked out, perform the lockout procedure discovered in the first step.

Potential Solutions / Mitigations

Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name. When implementing security features, consider how they can be misused and made to turn on themselves.

Related Weaknesses (CWE)

CWE ID	Description
CWE-645	Overly Restrictive Account Lockout Mechanism

Related CAPECs

CAPEC ID	Description
CAPEC-212	An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. The system functionality is not altered or modified but used in a way that was not intended. This is often accomplished through the overuse of a specific functionality or by leveraging functionality with design flaws that enables the adversary to gain access to unauthorized, sensitive data.

CAPEC ID

Description

CAPEC-212

An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. The system functionality is not altered or modified but used in a way that was not intended. This is often accomplished through the overuse of a specific functionality or by leveraging functionality with design flaws that enables the adversary to gain access to unauthorized, sensitive data.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID	Entry Name
1531	Account Access Removal

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.