Brute force attacks use a repetitive method of trial and error to guess a person's user name, password, credit card number, or cryptographic key.
An attacker might try the following attack methods to find out valid authentication credentials for a web application:
Attack type | Attack description |
---|---|
Dictionary attacks | Automated tools that try to guess user names
and passwords from a dictionary file. A dictionary file might contain words that are gathered by the attacker to understand the user of the account about to be attacked, or to build a list of all the unique words available on the website. |
Search attacks | Covers
all possible combinations of a character
set and ranges of password length. This attack might take some time because of the large number of possible combinations. |
Rule-based search attacks | Uses rules to generate possible password variations from part of a user name or from modifying pre-configured mask words in the input. |
Signature name | Description | More information |
---|---|---|
HTTP_Forced_Browsing_Probe | Detects repeated attempts to access non-existent
resources on a web server. This method could indicate an attack attempt that is related to the general problem of Forced Browsing. Forced Browsing is where an attacker uses brute force methods to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. These files and directories might contain sensitive information about web applications and operational systems, such as source code, authentication credentials, internal network addressing, or any other type of valuable information that might allow an attack of the system. |
IBM® X-Force®: Web application forced browsing probe detected |
HTTP_Hydra_BruteForce | Detects Nessus Hydra plug-in by using brute force techniques. | IBM X-Force: Nessus Hydra plugin brute force detected |