Classes of Attack

1   A u t h e n t i c a t i o n

The Authentication section covers attacks that target a web site's

method of validating the identity of a user, service or application.

Authentication is performed using at least one of three mechanisms:

 something you have ,  something you know  or  something you are .

This section will discuss the attacks used to circumvent or exploit the

authentication process of a web site.

1.1  Brute Force

A Brute Force attack is an automated process of trial and error used

to guess a person's username, password, credit card number or

cryptographic key.

Many systems will allow the use of weak passwords or cryptographic

keys, and users will often choose easy to guess passwords, possibly

found in a dictionary.  Given this scenario, an attacker would cycle

though the dictionary word by word, generating thousands or

potentially millions of incorrect guesses searching for the valid

password. When a guessed password allows access to the system,

the brute force attack has been successful and the attacker is able

access the account.

The same trial and error technique is also applicable to guessing

encryption keys. When a web site uses a weak or small key size, its

possible for an attacker to guess a correct key by testing all possible

keys.

Essentially there are two types of brute force attacks, (normal) brute

force and reverse brute force.  A normal brute force attack uses a

single username against many passwords.  A reverse brute force

attack uses many usernames against one password. In systems with

10

Copyright 2004, Web Application Security Consortium. All rights reserved.