[OWASP ASVS] Brute Force Attack

Christian Heinrich christian.heinrich at cmlh.id.au
Sat Oct 25 23:08:33 UTC 2014


Andrew,

"Resource governor" is not the term used by ISO 27000, SCAP, etc

This should be split/reworded into "password brute force" and "API
Rate Limiting" since they are much more common.


On Wed, Oct 22, 2014 at 1:29 PM, Andrew van der Stock
<vanderaj at owasp.org> wrote:
> Essentially, what I meant was that in your front controller there
> functional time based access control checks, such that you have some
> sort of global and/or session and/or IP based governor that checks
> that normally permissible actions, such as login, forgot password, or
> key business logic flows, are not being abused in bulk.
>
> Say for example, someone uses Hydra or other password brute forcer. If
> you have a resource governor, it will block attempts at different
> usernames and passwords, either via linear backoff (2,5,25,125
> seconds) or outright soft locks (say 15 minutes blockage after the
> fifth attempt). WordFence plugin for WordPress does this.
>
> Twitter, for example, uses this for other things:
>
> - You can only follow or unfollow 100 people a day
> - You can only tweet so many messages a second
> - You can only DM so many different folks a second  and another limit
> on per day DMs
> - You can't register many accounts from the same IP
> - AFAIK, There are global counters on worm like activity to avoid Samy
> style attacks, so if there is a tweet storm, it is mitigated
> automatically.
>
> AppSensor has an sensor for this, but YMMV.
>
> thanks
> Andrew
>
> On Wed, Oct 22, 2014 at 7:18 AM, Beto C <beto.cuevas.v at gmail.com> wrote:
>> Hello,
>>
>> What is the meaning or adecuated interpretation of "resource governor" in
>> verification requirement  V2.20
>>
>> "Verify that a resource governor is in place to protect against vertical (a
>> single account tested against all possible passwords) and horizontal brute
>> forcing (all accounts tested with the same password e.g. “Password1”). A
>> correct credential entry should incur no delay. Both these governor
>> mechanisms should be active simultaneously to protect against diagonal and
>> distributed attacks."
>>
>> Beto.
>>
>> _______________________________________________
>> Owasp-application-security-verification-standard mailing list
>> Owasp-application-security-verification-standard at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>>
> _______________________________________________
> Owasp-application-security-verification-standard mailing list
> Owasp-application-security-verification-standard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard



-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-application-security-verification-standard mailing list