DrLalPathLabs – Brute Force Vulnerable for Admin Form discovered through robots.txt file

My email exchange with DrLalPathLabs,


Dear Aman,

This is Santhosh Tuppad (Security Researcher, Author for Security Magazine / Blogs and a fan of #CleanWebMovement). I help the website owners to protect their customers data. And one of my specialization is #Healthcare sector. I see that most of the healthcare applications in India are vulnerable to attacks. And any minor or major vulnerability has to be fixed in order to protect privacy. This is my fight to secure the world against insecure applications.

# I have also attached my profile so that you know me better and be confident about who you are talking to ( I also connected with you on LinkedIn and sent a request on Facebook ). Thanks!

# The URL to the Proof of Concept / Video: https://drive.google.com/open?id=0BziNB3kxUI6kZURMOHBoX21zTFU (Please watch this and continue reading)

#1 In the video, the hacker (I am demonstrating as a hacker so that it helps you better) tries to gain access to /admin login form. However, he / she fails at DrLalPathLabs as /admin is not the valid URL.

#2 The next step is, the hacker thinks about /robots.txt page and then tries to crawl the URLs disallowed. Usually, disallowed URLs are kind of sensitive pages and this is one of the heuristic for the hacker to find admin login form or any other sensitive pages.

The /robots.txt page provides the URL of admin login form. Woah! This is the first vulnerability as the admin login form doesn’t check for any IP specific access. Anyone across the web globally can access this page with the URL.

#3 Using the /lpladmin/AdminLogin.aspx URL, the hacker sees the login form of admin.

// Risks Associated
## There is no CAPTCHA or any Turing test component for the login form here. It’s bit ironic that, the user login on the homepage or some other forms has CAPTCHA, but the admin (which is the core of the application) doesn’t have any kind of CAPTCHA.
## Due to no CAPTCHA or any IP banning on repeated requests (Basically, IDS intrusion detection system), hacker can easily employ brute-force attack and crack the credentials using Brutus or any other open-source hacker utilities. I recommend to fix this as soon as possible. In my experience, it doesn’t take more than 6 hours to crack this by using high-end GPUs.
// Counter-measure
## Make sure the URL is not accessible by anyone on the web. Maybe a specific static IP can be used to access the admin form. In that way, we block anyone from accessing the admin to crack the credentials.
## Remove the admin URL from the robots.txt (We don’t want robots / search engine spiders to crawl these because these are confidential. However, we are making it much easier by providing these in robots.txt file). #fail
## For the quicker fix, you may want to add reCAPTCHA by Google to admin login form so that we don’t allow hackers to employ bots to crack credentials. And also, change the URL (Maybe other hackers are aware of this URL by now) and then don’t add it in robots.txt

Well, I got to run to a meeting. I hope this information helps! If you need any more details, I am here to help! And let’s talk once you read this.

9880952643 / And my twitter ID @santhoshst (Just like to share my social media ;-)).