Pointless May Not Be Harmless: The Story of a Login Page With a Blank Security Question

While conducting security assessment for customer websites, it is always instructive to recognize that not all webpages are created equal, and webpages dealing with user login are definitely high value targets for the attackers, thus deserving more scrutiny in reviewing their security posture.

During the login flow, it is not uncommon, as an extra measure of security, to ask the end user extra “security questions”, such as one’s mom’s maiden name or one’s favorite books. So one can imagine there is a template page allowing the login flow to plug in random security questions, with a form input for the user to submit an answer. But what if such a template page can be accessed anonymously without the security question being specified?

The result would be a weird, awkward security question webpage with a blank question!

The scary thing is, when the attack submits any “answer”, the website’s origin would actually devote CPU cycles to evaluate the “answer”, and then return a webpage saying the ‘answer’ is incorrect.

This burning of CPU cycles may look pointless, but it is not harmless. The attackers can set up a large number of nodes in the cloud and fire form submissions at the same time, with the intention to overwhelm the website’s origin with a large number of security answer validation requests.

Akamai’s WAF, in such a case, serves as a protective umbrella against abusers who are maliciously leveraging these DDoS weak points in the website. Here is an example of how our WAF detected the high-rate bursty abuses:

The above screenshot also proves that Akamai WAF can serve as your Cloud-native cybersecurity ally in implementing defense-in-depth strategy. If your only defense against DDoS is your on-premise load balancer, you might be betting all your security well-being on a single layer of defense, which is certainly too thin.

Once the DoS / DDoS threat is detected, our customer can utilize the various automated responses tactics of Akamai’s WAF (such as DENY, custom DENY or TARPIT) to protect their origin infrastructure, while the development team can work on removing such webpages with blank security questions, which shouldn’t have been exposed to the internet in the first place.

For customers with a lot of such non-cacheable POST requests needing protection, an additional countermeasure to consider would be URL Protection, a new feature of AAP.

2 Likes