As the festive season approaches and businesses begin to wind down, cybercriminals do not. While investment in advanced security solutions continues to rise, it's alarming how often the most significant breaches stem not from complex exploits, but from overlooked fundamentals.
In a recent compliance-based, black-box assessment with no credentials and only a URL, we were able to obtain full administrator access. No zero-days, no specialist techniques. Just missing basics.
It’s a timely reminder: if foundational controls aren’t in place, attackers don’t need to be sophisticated, only persistent.
Finding 1: Weak Password Policy
A strong authentication policy should make password guessing impractical. Instead, the application accepted passwords as short as six characters, leaving accounts wide open to brute-forcing and credential stuffing attacks.
Short, predictable, or reused passwords remain one of the most common causes of compromise. They require no specialist skill to exploit, just automation, patience, and a list of leaked credentials freely available online. 
Figure 1 shows a discovered registration page. Although not active for registering users, it did disclose key details like valid users and the password policy
Recommendations
To strengthen account security, password policies should:
Enforce a minimum of 12 characters.
Require at least three of the following:
-
Uppercase characters
-
Lowercase characters
-
Digits
-
Special characters
Additionally,
-
Block known breached passwords
-
Prevent password reuse across systems
-
Deny predictable or dictionary-based terms
-
Promote the use of password managers to support secure behaviour
Strong passwords are not optional; they are often the first line of defence.
Finding 2: Insufficient Login Protection
If the service needs to be public, passwords alone are not enough. Without mechanisms to slow or detect repeated login attempts, attackers can make unlimited guesses until they succeed.
During testing, we identified weaknesses in the authentication process that allowed brute-force attempts to be carried out with minimal resistance. Although initial testing against single accounts triggered throttling, this control was easily bypassed by switching to a credential-stuffing approach, testing a large list of potential usernames alongside a small set of weak passwords derived from the policy in place. When combined with only a five-second delay between attempts, the login process could be repeatedly probed without being blocked, ultimately leading to the compromise of an administrator account.
Figure 2 – shows the credential stuffing attack and a valid credential obfuscated, which was accepted on the 684th request. Although the account did not log in, 2 redirects indicated it was valid
Recommendations
Multiple methods can add more resilience against password-based attacks, some examples include:
-
Introduce progressive lockouts that increase with failed attempts
-
Consider IP blocking or full lockouts for persistent abuse (but consider denial of service if someone carries out credential stuffing)
-
Implement reCAPTCHA or similar automation controls
-
Enforce Multi-Factor Authentication (MFA) on all public-facing accounts
Summary
The configuration allowed very weak passwords such as “123123”, lacked effective rate limiting, and did not enforce Multi-Factor Authentication (MFA). When combined, these issues created a major flaw that was exploited during testing, resulting in the compromise of an administrator account. In the hands of a cybercriminal, this access could be used to escalate attacks further and would almost certainly expose the personal and business information held in the application. Such a scenario carries a high risk of ransom, extortion, and reputational harm for businesses.
Closing Thoughts
As we close out the year, one lesson continues to stand out above all others:
Many breaches don’t require sophistication, only opportunity.
If public-facing assets are not rigorously tested and correctly configured, compromise is only a matter of time. Fortunately, in this case, it was discovered through testing rather than exploitation by cybercriminals.
A small oversight can become a big incident, and nothing spoils Christmas like a data breach notice.