Re: Likelihood of brute force attacks against web apps

[Haroon Meer <haroon () sensepost com>]

Hiya..

Yeah.. The captcha systems also prevent the (often) hidden danger re: 
bruteforcing.. and that is that account lock-out is largely useless in 
many cases..

Any web-app that plays with money (or something of a high value) at the 
back end has to consider that the attacker does not necc. want to break in 
to a specific targets account and will happily settle for the first 
account he can get his hands on..

Having a lockout on failed attempts for incorrect usernames may protect 
individual users (those with non brain-dead passwords) but will fail 
miserably (especially on web based systems) to give adequate coverage 
against attackers with > 2 braincells..

Somethign we have been preaching to our customers for a while for example, 
is that traditional lock-out may stop an attacker who tries multiple 
passwords on a single (valid) username but is totally silent while an 
attacker tries multiple usernames on a single password..

An attack like this would run thru the space of usernames using 
(LOCKOUT_NUMBER - 1) passwords, picking out the low hanging fruit.. and as 
we preach to our customers (and as we all know).. the attacker only has to 
win once..

/MH

On Tue, 12 Oct 2004, Stephen de Vries wrote:

> Hi list,
>
> We frequently warn clients of the risks of brute force or automated attacks 
> against their sites and recommend the use of CAPTCHA (www.captcha.net) 
> systems, or "secret questions" to mitigate this risk.  For example:
>
> - The registration process does not use captcha like systems and could allow 
> attackers to use an automated script to generate thousands of fictitious 
> users.  These users can then be used to perform transactions that could lead 
> to financial loss (e.g. costs due to rejected credit card), or waste 
> resources through database access (and wasted storage).
>
> - The password reminder mechanism requires only the user's email address 
> which is used to send them an email for resetting their password.  But since 
> it requires no further auth from the user (such as an answer to a secret 
> question), an attacker could enumerate all the valid email addresses 
> registered to the site by writing a brute force script and using a database 
> of email addresses (this may be particularly useful to a competitor).  Of 
> course, if the email address is used as the username, this problem becomes 
> more serious.
>
> Although these risks are real - and I don't doubt they will be used in the 
> future - I'm not aware of any attacks of this sort being  conducted in the 
> past.  Is anyone aware of these types of attacks in real-world scenarios?  Do 
> you think these pose a serious threat?
>
> regards,
> Stephen
>
>
> ----------------------------------------------------------------------
> CONFIDENTIALITY: This e-mail and any files transmitted with it are
> confidential and intended solely for the use of the recipient(s) only.
> Any review, retransmission, dissemination or other use of, or taking
> any action in reliance upon this information by persons or entities
> other than the intended recipient(s) is prohibited. If you have
> received this e-mail in error please notify the sender immediately
> and destroy the material whether stored on a computer or otherwise.
> ----------------------------------------------------------------------
> DISCLAIMER: Any views or opinions presented within this e-mail are
> solely those of the author and do not necessarily represent those
> of Corsaire Limited, unless otherwise specifically stated.
> ----------------------------------------------------------------------

--
======================================================================
Haroon Meer                                                         MH
SensePost Information Security                          +27 83786 6637
PGP : http://www.sensepost.com/pgp/haroon.txt     haroon () sensepost com
======================================================================