Brute force attacks

This type of attack uses a repetitive method of trial and error in order to guess a person's user name, password, credit card number, or cryptographic key.

About this attack

An attacker could launch a brute force attack by trying to guess the user ID and password for a valid user account on the web application. If the brute force attempt is successful, the attacker might be able to access:
  • Confidential information, such as profile data for users or confidential documents stored on the web application
  • Administration tools used by the System Administrator for the web application to manage (modify, delete, add) web application content, manage user provisioning, or to assign different privileges to users
  • Sections of the web application that might expose vulnerabilities or advanced functions not available to non-Administrator users

Types of brute force attacks

An attacker might try the following attack methods to find out valid authentication credentials for a web application:

Table 1. Brute force attacks
Attack type Attack description
Dictionary attacks Automated tools that try to guess user names and passwords from a dictionary file.

A dictionary file might contain words gathered by the attacker to understand the user of the account about to be attacked, or to build a list of all the unique words available on the web site.

Search attacks Covers all possible combinations of a character set and ranges of password length.

This attack might take some time because of the large amount of possible combinations.

Rule-based search attacks Uses rules to generate possible password variations from part of a user name or from modifying pre-configured mask words in the input.

Signatures triggered by this attack

The signatures triggered by brute force attacks include:
Table 2. Brute force signatures
Signature name Description More information
HTTP_Forced_Browsing_Probe Detects repeated attempts to access non-existent resources on a web server.

This could indicate an attack attempt related to the general problem of Forced Browsing, where an attacker uses brute force methods to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files.

These files and directories could contain sensitive information about web applications and operational systems, such as source code, authentication credentials, internal network addressing, or any other type of valuable information that could allow an attack of the system.

IBM® X-Force®: Web application forced browsing probe detected


HTTP_Hydra_BruteForce Detects Nessus Hydra plug-in using brute force techniques. IBM X-Force: Nessus Hydra plugin brute force detected