Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Re: [WEB SECURITY] How to recognize brute force attack

M
MustLive
Mon, May 20, 2013 5:48 PM

Hello Eric!

It's good to see that your financial company cares about security. Since I
always see vulnerable financial web sites (especially in Ukraine), such as
sites of banks, online (electronic) payment system and other e-commerce
sites. And have found a lot of hacked and infected e-commerce web sites in
Ukraine, among all hacked and infected web sites, during my persistent
analysis of hackers activity in Uanet since 2006
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-April/008774.html).

Especially I've not seen bank sites with captchas, but saw many EPS,
particularly in Ukraine and Russia, which use captchas. So your financial
company is advanced one. But you always must remember about attacks on
captchas (that they have weaknesses), so don't rely solely on captcha to
prevent Brute Force attacks. I'm regularly finding vulnerable captchas,
including on financial sites (plus there are other weaknesses in captchas
and for this reason they are not much used by financials, as said Paul).

Nuno and Paul already gave you some hits. In addition to them, I'll tell you
the next.

BF attacks can be detected and can be prevented. For it can be used as
captchas, as other methods (and you can used combination of methods to
protect against weaknesses of different methods, as I've mentioned above).
Besides protecting against BF attacks you need to conduct security audit of
your web site to check reliability of security mechanisms. I've found a lot
of web sites with BF protections (including PCI DSS audited sites), which in
reality were vulnerable to BF - with different bypass methods developed be
me. So those banks and EPS, which ordered security audit from me, even some
of them already made PCI DDS, did wisely. Always check reliability of your
protection.

You could read my articles on this topic in WASC mailing list earlier. I
wrote about two my articles
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-September/008051.html).
And here is my article written for PenTest Regular 04/2012 "Advanced Methods
of Bypassing of Blockings at Web Sites"
(http://websecurity.com.ua/articles/advanced-methods-of-bypassing-of-blockings-at-web-sites/).

You should prevent all types of brute force attacks, namely, horizontal,
diagonal and vertical.

Besides this classification of Brute Force attacks, the next one also can be
used: full enumeration, vocabulary, mixed (with using of mask) and
combination of these variants. Both these classifications described the
attack from different angles and I'm using both of them. Even it's possible
to combine the terms from both classifications to describe the attack - i.e.
horizontal vocabulary BF attack.

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Hello Eric! It's good to see that your financial company cares about security. Since I always see vulnerable financial web sites (especially in Ukraine), such as sites of banks, online (electronic) payment system and other e-commerce sites. And have found a lot of hacked and infected e-commerce web sites in Ukraine, among all hacked and infected web sites, during my persistent analysis of hackers activity in Uanet since 2006 (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-April/008774.html). Especially I've not seen bank sites with captchas, but saw many EPS, particularly in Ukraine and Russia, which use captchas. So your financial company is advanced one. But you always must remember about attacks on captchas (that they have weaknesses), so don't rely solely on captcha to prevent Brute Force attacks. I'm regularly finding vulnerable captchas, including on financial sites (plus there are other weaknesses in captchas and for this reason they are not much used by financials, as said Paul). Nuno and Paul already gave you some hits. In addition to them, I'll tell you the next. BF attacks can be detected and can be prevented. For it can be used as captchas, as other methods (and you can used combination of methods to protect against weaknesses of different methods, as I've mentioned above). Besides protecting against BF attacks you need to conduct security audit of your web site to check reliability of security mechanisms. I've found a lot of web sites with BF protections (including PCI DSS audited sites), which in reality were vulnerable to BF - with different bypass methods developed be me. So those banks and EPS, which ordered security audit from me, even some of them already made PCI DDS, did wisely. Always check reliability of your protection. You could read my articles on this topic in WASC mailing list earlier. I wrote about two my articles (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-September/008051.html). And here is my article written for PenTest Regular 04/2012 "Advanced Methods of Bypassing of Blockings at Web Sites" (http://websecurity.com.ua/articles/advanced-methods-of-bypassing-of-blockings-at-web-sites/). > You should prevent all types of brute force attacks, namely, horizontal, > diagonal and vertical. Besides this classification of Brute Force attacks, the next one also can be used: full enumeration, vocabulary, mixed (with using of mask) and combination of these variants. Both these classifications described the attack from different angles and I'm using both of them. Even it's possible to combine the terms from both classifications to describe the attack - i.e. horizontal vocabulary BF attack. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua
Empathy v1.0   2024 ©Harmonylists.com