Brute force attacks

Brute force attacks use a repetitive method of trial and error to guess a person's user name, password, credit card number, or cryptographic key.

About this attack

An attacker starts a brute force attack by trying to guess the user ID and password for a valid user account on the web application. If the brute force attempt is successful, the attacker might be able to access:
  • Confidential information, such as profile data for users or confidential documents that are stored on the web application
  • Administration tools that are used by the System Administrator for the web application to manage (modify, delete, add) web application content, manage user provisioning, or to assign different privileges to users
  • Sections of the web application that might expose vulnerabilities or advanced functions not available to non-Administrator users

Types of brute force attacks

An attacker might try the following attack methods to find out valid authentication credentials for a web application:

Table 1. Brute force attacks
Attack type Attack description
Dictionary attacks Automated tools that try to guess user names and passwords from a dictionary file.

A dictionary file might contain words that are gathered by the attacker to understand the user of the account about to be attacked, or to build a list of all the unique words available on the website.

Search attacks Covers all possible combinations of a character set and ranges of password length.

This attack might take some time because of the large number of possible combinations.

Rule-based search attacks Uses rules to generate possible password variations from part of a user name or from modifying pre-configured mask words in the input.

Signatures triggered by this attack

The signatures that are triggered by brute force attacks include:
Table 2. Brute force signatures
Signature name Description More information
HTTP_Forced_Browsing_Probe Detects repeated attempts to access non-existent resources on a web server.

This method could indicate an attack attempt that is related to the general problem of Forced Browsing. Forced Browsing is where an attacker uses brute force methods to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files.

These files and directories might contain sensitive information about web applications and operational systems, such as source code, authentication credentials, internal network addressing, or any other type of valuable information that might allow an attack of the system.

IBM® X-Force®: Web application forced browsing probe detected


HTTP_Hydra_BruteForce Detects Nessus Hydra plug-in by using brute force techniques. IBM X-Force: Nessus Hydra plugin brute force detected