millions of user accounts, the odds of multiple users having the same

password dramatically increases.  While brute force techniques are

highly popular and often successful, they can take hours, weeks or

years to complete.

Example

Username = Jon

Passwords = smith, michael jordan, [pet names], [birthdays], [car

names],  .

Usernames = Jon, Dan, Ed, Sara, Barbara,  ..

Password = 12345678

References

 Brute Force Attack , Imperva Glossary

http://www.imperva.com/application_defense_center/glossary/brute_f

orce.html

 iDefense: Brute Force Exploitation of Web Application Session ID's ,

By David Endler   iDEFENSE Labs

http://www.cgisecurity.com/lib/SessionIDs.pdf

1.2  Insufficient Authentication

Insufficient Authentication occurs when a web site permits an attacker

to access sensitive content or functionality without having to properly

authenticate.  Web based administration tools are a good example of

web sites providing access to sensitive functionality. Depending on

the specific online resource, these web applications should not be

directly accessible without the user required to properly verify their

identity.

To get around setting up authentication, some resources are

protected by  hiding  the specific location and not linking the location

into the main web site or other public places. However, this approach

11

Copyright 2004, Web Application Security Consortium. All rights reserved.