.png)
5 months ago
33 BOOK THIS SPACE FOR AD
ARTICLE ADThe last time we used the normal login request with multiple wrong passwords and one right password, each request with different ”ASP.NET_SessionId” sending these requests in parallel will lead to a race condition which will allow the attacker to login with the right password without account lockdown Here is what the normal request looks like:
What’s new:
Removing the unused headers, and specially removing the ” ASP.NET_SessionId” cookie, and again sending all requests in parallel will lead to
1. All wrong passwords will have the response ”200 OK” (default response for wrong password)
2. The right password will have the response “302 Found” (default response for right password)
3. The account will be locked (which is the new behavior)
4. So even the account is locked , the attacker have a valid “.ASPXAUTH” cookie to manipulate the system The new request with wrong password:
The new request with right password:
Account status:
Bengali (Bangladesh) · 
English (United States) ·