Improper Restriction of Authentication Attempts

Own server version 1.5.0 of ODK Central
1. What is the issue? Please be detailed.
Improper Restriction of Authentication Attempts

2. What steps can we take to reproduce this issue?
New version of ODK Central?

3. What have you tried to fix the issue?

4. Upload any test forms or screenshots below.

Hi I hope you all are well I have found that there is no rate limit on this login page https://odkcentral.pps.wur.nl/#/login?next=/
Weakness:
Improper Restriction of Authentication Attempts
Steps to reproduce:
1 Go to https://odkcentral.pps.wur.nl/#/login?next=/
2 Enter the victim's email and a random password
3 Click on login and capture the request with burp
4 Now using burp intruder Bruteforce victim's password
5 You will not get any 429 responses which mean there is no rate limit
Impact:
An attack can brute force victim's password and can gain access to it
For fix: Add proper rate limit or use CAPTCHA verification

Thanks for reporting this. I've filed an issue at https://github.com/getodk/central-backend/issues/539.

Hi Yanokwa,

Thanks for your quick response.

Maybe adding CAPTCHA to the script is the easiest way to solve this issue.

One could also count the number of login failures, and if it exceeds e.g. 3, block the user for 30 minutes before resetting the blockage.

Do you've any idea how long it will take to have a new version of ODK Central, that resolves this problem?

Our IT department is urging me to address the issue as they see it as a serious security flaw.

Cheers,

Marcel

We do not yet have an ETA. We'll update the issue once we do.

As a workaround, you can reduce the attack surface by restricting web user logins to specific IPs. Modify your files/nginx/odk.conf.template to look like this.

server {

...

  location /- {
    proxy_pass http://enketo:8005/-;
    proxy_redirect off;
    proxy_set_header Host $host;
  }

  # matches app user endpoints
  location ~ ^/v\d/(test|key)/.+/projects/\d+/(submission|formList|forms) {
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://service:8383;
    proxy_redirect off;

    set $max_chunk_size 16384;
    set $max_body_size 134217728;
    rewrite_by_lua_file inflate_body.lua;

    proxy_request_buffering on;
    proxy_buffering off;
    proxy_read_timeout 2m;
  }

  # matches web user endpoints
  location ~ ^/v\d {
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://service:8383;
    proxy_redirect off;

    set $max_chunk_size 16384;
    set $max_body_size 134217728;
    rewrite_by_lua_file inflate_body.lua;

    proxy_request_buffering on;
    proxy_buffering off;
    proxy_read_timeout 2m;

    # allow/deny ips
    allow 172.18.0.1; # customize based on installed network interface
    allow 127.0.0.1; # allow localhost connections
    allow 1.2.3.4; # external example 1
    allow 4.5.6.7; # external example 2
    deny all; # deny everything else
  }

...

}