Brute Force

Brute Force

Category: Security Misconfiguration

Severity: High

Description

A brute force attack can manifest itself in many different ways, but primarily consists in an attacker configuring predetermined values, making requests to a server using those values, and then analyzing the response. For the sake of efficiency, an attacker may use a dictionary attack (with or without mutations) or a traditional brute-force attack (with given classes of characters e.g.: alphanumeric, special, case (in)sensitive). Considering a given method, number of tries, efficiency of the system which conducts the attack, and estimated efficiency of the system which is attacked the attacker is able to calculate approximately how long it will take to submit all chosen predetermined values.

Impact

  • Identity theft

Stealing someone’s identity to access their accounts, such as bank accounts or credit cards. This enables the attacker to purchase goods using these details. In addition, information such as social security numbers can be sold for use in other cyber attacks.

  • Loss of data

Due to loss of confidentiality if data is stolen which could destroy company reputation. Additionally, there may be reputational damage caused by a leak of sensitive customer information that leads to public distrust and dissatisfaction with the business.

  • Downtime

This refers to system outages where websites or computer networks cannot be accessed due to a cyber attack. This is costly to the business in terms of lost revenue, customer satisfaction as well as loss of image.

Remediation

You can lock accounts after several failed login attempts and then unlock it as the administrator.

  • Progressive delays

You can lock out accounts for a limited amount of time after failed login attempts. Each attempt makes the delay longer.

  • Captcha

Tools like reCAPTCHA require users to complete simple tasks to log into a system. Users can easily complete these tasks while brute force tools cannot.

  • Requiring strong passwords

You can force users to define long and complex passwords. You should also enforce periodical password changes.

  • Two-factor authentication

You can use multiple factors to authenticate identity and grant access to accounts.

https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks

PreviousBlind SQL InjectionNextClickjacking

Last updated