Project: WASC Threat Classification
Threat Type: Attack
Reference ID: WASC-11
Brute Force Attack
A brute force attack is a method to determine an unknown value by using an automated process to try a large number of possible values. The attack takes advantage of the fact that the entropy of the values is smaller than perceived. For example, while an 8 character alphanumeric password can have 2.8 trillion possible values, many people will select their passwords from a much smaller subset consisting of common words and terms.
The sections below describe brute force attacks common to web applications.
Brute Forcing Log-in Credentials
The most common type of a brute force attack in web applications is an attack against log-in credentials. Since users need to remember passwords, they often select easy to memorize words or phrases as passwords, making a brute force attack using a dictionary useful. Such an attack attempting to log-in to a system using a large list of words and phrases as potential passwords is often called a "word list attack" or a "dictionary attack". Attempted passwords may also include variations of words common to passwords such as those generated by replacing "o" with "0" and "i" with "1" as well as personal information including family member names, birth dates and phone numbers.
An attacker may try to guess a password alone or guess both the user name and the password. In the later case the attacker might fix the user name and iterate through a list of possible passwords, or fix the password and iterate through a list of possible user names. The second method, called a reverse brute force attack, can only get the credentials of a random user, but is useful when the attacked system locks users after a number of failed log-in attempts.
Brute Forcing Session Identifiers
Since HTTP is a stateless protocol, in order to maintain state web applications need to ensure that a session identifier is sent by the browser with each request. The session identifier is most commonly stored in an HTTP cookie or URL. Using a brute force attack, an attacker can guess the session identifier of another user. This can lead to the attacker impersonating the user, retrieving personal information and performing actions on behalf of the user.
Session identifiers usually consist of a number or a sequence of characters. In order for a brute force attack to succeed, the possible range of values for the session identifier must be limited. If the predicted range of values for a session identifier is very small based on existing information the attack is referred to as a session prediction attack .
Brute Forcing Directories and Files
When files reside in directories that are served by the web server but are not linked anywhere, accessing those files requires knowing their file name. In some cases those files have been left by mistake: for example a backup file automatically created when editing a file or leftovers from an older version of the web application. In other cases files are intentionally left unlinked as a "security by obscurity" mechanism allowing only people who know the file names to access them.
A brute force attack tries to locate the unlinked file by trying to access a large number of files. The list of attempted file names might be taken from a list of known potential files or based on variants of the visible files on the web site. More information on brute forcing directories and files can be found in the associated vulnerability, predictable resource location .
Brute Forcing Credit Card Information
Shopping online with stolen credit cards usually requires information in addition to the credit card number, most often the CVV/SCS  and/or expiration date. A fraudster may hold a stolen credit card number without the additional information. For example the CVV/CSC is not imprinted on the card or stored on the magnetic stripe so it cannot be collected by mechanical or magnetic credit card swiping devices.
In order to fill in the missing information the hacker can guess the missing information using a brute force technique, trying all possible values.
- Guessing CVV/CSC requires only 1000 or 10000 attempts as the number is only 3 or 4 digits, depending on the card type.
- Guessing an expiration date requires only several dozen attempts.
Brute force attacks are by no means limited to the scenarios described above. For example, a password reminder feature may enable a user to retrieve a forgotten password by providing a personal detail known just to him. However, if the personal detail is "favorite color" then an attacker can use a brute force attack to retrieve the password as the number of color choices is limited. In addition, studies have shown that approximately 40% of the population selects blue as their favorite color , so even if the attacker is locked out after three attempts, that would still enable the attacker to retrieve a fair amount of passwords.
"Brute Force", Wikipedia
"Brute-Force Exploitation of Web Application Session ID's", David Endler - iDEFENSE Labs
"Brute force attack incidents", the Web Hacking Incidents Database
Predictable Resource Location
"Card Security Code", Wikipedia
"Color Assignment, Favorite Color", Joe Hallock