How Magento’s Authentication is Brute Forced

Easily the most common way I see Magento sites attacked is by the brute forcing of admin passwords. Attackers use automated scripts to try common usernames and passwords several times a second 24 hours a day 7 days a week to attack stores.

How do I know this?

Well I see it in the web access logs of Magento stores all the time.

Here is an example from the web access log of a real Magento store;

 Cimarron [04/Apr/2017:15:28:23 +0100] "GET /rss/catalog/notifystock/ HTTP/1.0 "301 184 "-" "-" "188.120.236.172"[RT:0.000] [C:22]
 Elijah [04/Apr/2017:15:28:37 +0100] "GET /rss/catalog/notifystock/ HTTP/1.0 "301 184 "-" "-" "188.120.234.207"[RT:0.000] [C:62]
 Kameron [04/Apr/2017:15:28:39 +0100] "GET /rss/catalog/notifystock/ HTTP/1.0 "301 184 "-" "-" "188.120.234.230"[RT:0.001] [C:67]
 RUIZ [04/Apr/2017:15:28:43 +0100] "GET /rss/catalog/notifystock/ HTTP/1.0 "301 184 "-" "-" "188.120.224.119"[RT:0.001] [C:70]
 Sullivan [04/Apr/2017:15:28:46 +0100] "GET /rss/catalog/notifystock/ HTTP/1.0 "301 184 "-" "-" "188.120.236.159"[RT:0.000] [C:73]
 markus [04/Apr/2017:15:28:51 +0100] "GET /rss/catalog/notifystock/ HTTP/1.0 "301 184 "-" "-" "188.120.232.68"[RT:0.000] [C:85]
 Rafael [04/Apr/2017:15:29:00 +0100] "GET /rss/catalog/notifystock/ HTTP/1.0 "301 184 "-" "-" "188.120.235.19"[RT:0.000] [C:99]
 Lillie [04/Apr/2017:15:29:02 +0100] "GET /rss/catalog/notifystock/ HTTP/1.0 "301 184 "-" "-" "188.120.236.155"[RT:0.000] [C:103]
 Elijah [04/Apr/2017:15:29:04 +0100] "GET /rss/catalog/notifystock/ HTTP

As you can see the attackers are making GET requests to /rss/catalog/notifystock/ . You can also see the usernames the attacker is trying in the first field e eg. Cimarron, Elijah, Kameron .

RSS Auth.
An example of what you see on visiting the rss/catalog/notifystock/ url. The required auth credentials are the same as the ones you log into the admin panel with.

This URL is among several which by default require basic HTTP auth. If you don’t remember setting up basic auth for this that is because you didn’t. The credentials used here are the same as those used in the main Magento login panel. That means that if an attacker can guess a single weak username and password from this url they can then go on to use the same credentials and even the same session in the admin backend.

But I hid my admin backend

If you hid the location of the backend, as you should, that won’t help you much as the location is revealed in the page that loads following a successful authentication.

Screen Shot 2017-06-13 at 09.01.14
An example of what an attacker would see following a successful authentication. Notice the hidden admin url is revealed.

As well as the /rss/catalog/notifystock/ url there are several others that use this basic auth method.
Such as:

  • rss/catalog/review
  • /rss/order/new
  • /index.php/rss/catalog/review
  • /index.php/rss/catalog/notifystock

 

Excuse me, your auth is showing

I am willing to bet that if you have not secured these urls then you will be receiving hundreds of automated requests on them a day. How confident are you in everyone of your admin users passwords?

Furthermore all these requests can be a significant resource drain on a small website since they will not be cached and will do at the very least one database lookup and password hashing.

What to do?

A while ago Magento warned about the use of these urls and suggested using an IP whitelist to block access for all but pre-arranged users. But I still see many sites with these urls accepting basic auth credentials from remote untrusted IP addresses. Possibly this is because Magento did not go out of their way to highlight exactly what the risk is and included it with advice on hiding the admin url which is well known.

If you don’t know for sure that you are using the rss feeds I would suggest that you simply set the web server to return a 404 not found error for these urls. If you do this the automated requests will stop completely within about 10 minutes. This makes sense since the attackers will want to save resources too.

 

 

1 thought on “How Magento’s Authentication is Brute Forced”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s