Brute force attack is a technique used to explore an unknown value by systematically trying every key combination to gain access to the targeted resource. In the context of web applications, such attacks appear as a volley of HTTP requests that successively cycle through a user input value till the “right” value is hit. This value could be a GET or POST parameter, usernames and passwords, URL paths or header values. Such attacks are carried out using automated tools and scripts that try every possible character combination to explore the value that is sought.
Attackers often make use of the fact that invalid inputs to web applications yield a different page than valid values. For example, an invalid username could yield one error message and an invalid password could yield another and a successful login yields a totally different page. An attacker can then write a script that cycles through username values till the error message is “invalid user”. When the error changes to “invalid password” the attacker can identify a valid username, and then proceed to cycle through passwords for that valid username, until the correct password is hit.
The other weakness that facilitates this attack is the lack of a policy to enforce a maximum attempt count to access a particular resource.
Apart from targeting login credentials, a brute force attack could also be used for guessing hidden pages or content, session ID values, one time passcodes, credit card numbers and even reversing cryptographic hash functions.
As brute force attacks from a single client could be easy to spot and block, attackers frequently use multiple attack sources that try to attack the web application in concert.
Due to this, a common by-product of brute force attacks is resource exhaustion on the server that could degrade the quality of service to genuine client.
Indications of a brute-force attack:
Since brute force attacks require trial and error of a large set of values, the most common indicator is an unusual volume of failed requests. When a parameter is being attacked (like username) then the requests are all to the same page. If the attacker is trying to find hidden pages, then each request would be different but the server response codes will be 404: Page Not Found.
A successful brute-force attack can:
- Leak confidential and private data (example: user’s profile data, bank details, financial status, etc.).
- Leak hidden files or interfaces (example: admin interface).
- Disrupt the service if the service is DoS’ed.
If the attackers succeed in gaining access to administrative panels they can modify/delete/add web application content, modify user privileges, etc.
Brute-force attack to identify a URL in a web application:
The attacker uses a word list of known pages to execute brute-force attack on a web application. In the example below, the attacker tries brute-force attack on a popular content management system. The attacker sends request to each known page and then analyzes the HTTP response code to determine if the requested page exists on the target server.
[root@localhost wfuzz-2.1-beta]# python wfuzz.py -c -z file,wordlist/general/common.txt --hc 404 http://X.X.X.X/FUZZ
* Wfuzz 2.1 - The Web Bruteforcer *
Total requests: 950
ID Response Lines Word Chars Request
00213: C=200 2 L 1 W 8 Ch "default"
00457: C=301 7 L 20 W 239 Ch "lost%2Bfound"
00472: C=301 7 L 20 W 235 Ch "manual"
00584: C=301 7 L 20 W 235 Ch "portal"
00759: C=200 828 L 2150 W 1275626 Ch "script"
00783: C=301 7 L 20 W 233 Ch "test"
Total time: 19.71608
Processed Requests: 950
Filtered Requests: 944
Brute-force attacks are difficult to stop completely, but with proper countermeasures and carefully designing the website it is possible to limit these attacks. For securing login pages, the following measures can be used to defend against brute-force attacks:
- Enforcing long and secure passwords.
- Limiting the number of failed login attempts, and blocking users who attempt to login using different passwords within a short period of time, though this could end up blocking genuine users, if attackers use their usernames too many times in failed login attempts.
- Challenging suspicious requests with CAPTCHA or other challenges to prevent automated attacks.
The Barracuda Web Application Firewall allows you to restrict the maximum attempts to access resources in a given time window. The counting can be done per source IP or across all sources. When clients violate the access policy, they can be either presented with a CAPTCHA to prove they are humans and not scripts or locked out for a custom time period.
OWASP Top 10, PCI-DSS