Re: Likelihood of brute force attacks against web apps

[Jeremiah Grossman <jeremiah () whitehatsec com>]

From my experience, service automating bots are quite common to a 
variety a web sites and have been so for years. Just ask any large 
webmail, message board, auction, blog provider, etc. They'll all tell 
you these bots are pain. Interestingly, I do not recall any popular 
news stories covering the subject.

As you mentioned, account generation and password resets are indeed 
likely candidates for service automation. I would also include 
message/email posting for spamming and login brute force as common as 
well. Do they represent a risk or threat to financial loss? Dependent 
on the given situation, I would say yes in most cases. However, I would 
hesitate to say its directly related to fraud (though it does happen).

Most of the business cost is wrapped up in clean-up efforts after the 
fact. You have to take the time to remove 100,000 fictitious new 
accounts. Clean out tons of spam messages littering the system. Or 
perhaps on the phone with users explaining why they're account is 
locked. All without impacting normal user activity by deleting 
legitimate data. I personally recommend CAPTHA systems where 
appropriate as well.


Regards,

Jeremiah-




On Tuesday, October 12, 2004, at 04:58  AM, Stephen de Vries wrote:

> Hi list,
>
> We frequently warn clients of the risks of brute force or automated 
> attacks against their sites and recommend the use of CAPTCHA 
> (www.captcha.net) systems, or "secret questions" to mitigate this 
> risk.  For example:
>
> - The registration process does not use captcha like systems and could 
> allow attackers to use an automated script to generate thousands of 
> fictitious users.  These users can then be used to perform 
> transactions that could lead to financial loss (e.g. costs due to 
> rejected credit card), or waste resources through database access (and 
> wasted storage).
>
> - The password reminder mechanism requires only the user's email 
> address which is used to send them an email for resetting their 
> password.  But since it requires no further auth from the user (such 
> as an answer to a secret question), an attacker could enumerate all 
> the valid email addresses registered to the site by writing a brute 
> force script and using a database of email addresses (this may be 
> particularly useful to a competitor).  Of course, if the email address 
> is used as the username, this problem becomes more serious.
>
> Although these risks are real - and I don't doubt they will be used in 
> the future - I'm not aware of any attacks of this sort being  
> conducted in the past.  Is anyone aware of these types of attacks in 
> real-world scenarios?  Do you think these pose a serious threat?
>
> regards,
> Stephen
>
>
>  ----------------------------------------------------------------------
>  CONFIDENTIALITY: This e-mail and any files transmitted with it are
>  confidential and intended solely for the use of the recipient(s) only.
>  Any review, retransmission, dissemination or other use of, or taking
>  any action in reliance upon this information by persons or entities
>  other than the intended recipient(s) is prohibited. If you have
>  received this e-mail in error please notify the sender immediately
>  and destroy the material whether stored on a computer or otherwise.
>  ----------------------------------------------------------------------
>  DISCLAIMER: Any views or opinions presented within this e-mail are
>  solely those of the author and do not necessarily represent those
>  of Corsaire Limited, unless otherwise specifically stated.
>  ----------------------------------------------------------------------