Weak Admin Password

A generic Broken Authentication vulnerability was identified targeting the Administrator account. The account was protected by an extremely weak password, allowing an attacker to compromise credentials using an automated dictionary attack via Burp Suite Intruder.

1. Navigate to the login page at /#/login.
2. Enter admin@juice-sh.op and a dummy password.
3. Intercept the POST login request using Burp Suite Proxy.
4. Send the request to Intruder and define the payload marker on the password field.
5. Retrieve the password list from the GitHub repository and load it into the payload configuration.
6. Execute the attack.
7. Identify the successful login by sorting for HTTP Status 200 OK (or distinct response length).

Wordlist Source: Top 100 Passwords (GitHub)

Compromised Credentials:

Email: admin@juice-sh.op
Password: admin123

Severity: Critical

• Full System Compromise: Unauthorised administrative access grants full control over the application.
• Data Breach: Ability to access and modify all user data and sensitive information.
• Configuration Tampering: Attackers can alter system settings and modify application behavior.

The exploitation was successful due to two main factors:

• Weak Password Policy: The administrator used admin123, a top-ranking password in common breach lists.
• Lack of Rate Limiting: The application failed to throttle or block the high volume of login attempts generated by Burp Suite, allowing the brute-force attack to proceed uninterrupted.

• Enforce Strong Password Policies: Require minimum complexity, length, and special characters.
• Implement Rate Limiting: Lock accounts or introduce CAPTCHAs after 3-5 consecutive failed login attempts to thwart brute-force attacks.
• Multi-Factor Authentication (MFA): Mandate 2FA for all administrative accounts.