Sensitive Parameters are Susceptible to Brute force Attacks OWASP
Table of Contents
Sensitive parameters such as username, password, server IP, etc.. will be guessed by the attacker by trying a large combination of attempts. Those parameters are susceptible to Brute Force Attack, it is a one of OWASP vulnerability with medium risk. We should avoid the attacker guessing the sensitive parameters by allowing limited combinations while trying to attempts.
Mostly this issue will have occurred on the login page. Here attacker will try to guess the password by trying a large combination of attempts. So we need to lock the user after reaching maximum attempts.
There are multiple ways to restrict allowing limited combinations while trying to attempts.
- Lock the User when reaching maximum attempts
- Restrict IP Address
- Implement Strong CAPTCHA
Lock the User when reaching maximum attempts
- Configure maximum attempts in the property file
- When the attacker trying with incorrect combination data then update the count in the database for that username
- And validate the database count whether it is greater than or not with the value configured in the property.
- If database value greater than the configured value in the property value then lock the user
- else increase the count in the database for that username
- Once the correct details entered when the database count is less than the value configured in the property file, then update the database count to 0(zero).
Restrict IP Address
We can restrict the IP address instead of the lock the user,
This is also similar to Lock the user above but here you need to pass IP address into the database and for every attempt, you need to validate the IP whether it is the same or not.
- Configure maximum attempts in the property file
- When the attacker trying with incorrect combination data then update the count and IP address in the database for that username
- And validate the database count and IP address with the value configured in the property file and Request IP Address.
- If database value greater than the configured value in the property value with Same IP address then should not allow the user and redirect to an error page
- else increase the count and IP address in the database for that username
- Once the correct details entered when the database count is less than the value configured in the property file, then update the database count to 0(zero) and Request IP Address.
Note:
If the attacker trying with incorrect data in different IP address then this scenario will not help perfectly because the IP address is different and while validating the IP address its seems to be a new IP address.
For better lock the user instead of blocking the IP address.
Implement Strong CAPTCHA
You can implement strong CAPTCHA. Here Google CAPTCHA is one of the strongest CAPTCHA. You can implement Google CAPTCHA in the login page.
Hello! I am Narayanaswamy founder and admin of narayanatutorial.com. I have been working in the IT industry for more than 12 years. NarayanaTutorial is my web technologies blog. My specialties are Java / J2EE, Spring, Hibernate, Struts, Webservices, PHP, Oracle, MySQL, SQLServer, Web Hosting, Website Development, and IAM(ForgeRock) Specialist
I am a self-learner and passionate about training and writing. I am always trying my best to share my knowledge through my blog.
