Lan link.
We are evaluating the requests for the password change system. If we enter the existing password incorrectly in the password change process, the system logs us out of our account and says “You have made too many incorrect login attempts. Please try again in 1 minute(s).” error.
To bypass this measure against brute-force attack, we try different operations in the password change section. If we enter “Current password” incorrectly again, but this time with different values for “New password” and “Confirm new password”, the system warns “Current password is incorrect” instead of kicking us out.
If we enter the correct password in “Current password” and enter different passwords in the new password change, we get the following error: “New passwords do not match”. The logic error here can be used for brute-force attack.
We pass the request to the intruder, put carlos in the username, and payload marker in the password.
You can find the intruder results by length or by entering a grep rule.