[Owasp-guide] [Owasp-leaders] cheat sheets and the development guide
Eoin
eoin.keary at owasp.org
Wed Mar 31 12:15:49 EDT 2010
Thanks Ryan, Kevin, Mike
I thought we might of had an "OWASP definition" of Reverse BF seen as we
should be testing for it, providing detective & preventative measures etc.
Standardised definitions are useful in terms of people learning what an
issue is regardless of if it relates to code dev, test, review or
deployment. It would be good to develop an OWASP dictionary/ thesaurus, such
like the oxford dictionary for English.
Would this assist in people mixing up CSRF and XSS :0) and stuff like that?
Robust defs for issues may also help define a consistent methodology in
testing for such issues or coding against them?
who knows?
-ek
On 31 March 2010 17:01, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> Eoin wrote:
> > So....do we have an OWASP def for "reverse brute force"? Yes/No
>
> Not that I know of. Can you provide the specific context where it
> was used?
>
> The normal use of the term is when an attacker knows random password,
> but does not know the user name that it is associated with. (For instance,
> perhaps the attacker saw a yellow PostIt note that said "Password:
> %ntH07,s".)
>
> In that case, they try to guess user ids, perhaps random, perhaps based on
> a
> corporate directory, etc. But it is a "reverse" brute force in the sense
> that
> it is the public information (namely the user name) that is trying to be
> brute forced rather than the private part (the credential).
>
> I'm not sure who came up with the term, but I'm not particularly fond
> of it. If this is what they were referring to, I've also seen it referred
> to as "reverse authentication", which I think is a little better than
> "reverse brute force". That's because traditionally, the term "brute force"
> comes from the cryptographic community and is an attack that enumerates
> through
> an encryption algorithm's key space trying to find a match.
>
> -kevin
> --
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
>
--
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-guide/attachments/20100331/a843959c/attachment.html
More information about the Owasp-guide
mailing list