[OWASP ASVS] Brute Force Attack
christian.heinrich at cmlh.id.au
Sat Oct 25 23:08:33 UTC 2014
"Resource governor" is not the term used by ISO 27000, SCAP, etc
This should be split/reworded into "password brute force" and "API
Rate Limiting" since they are much more common.
On Wed, Oct 22, 2014 at 1:29 PM, Andrew van der Stock
<vanderaj at owasp.org> wrote:
> Essentially, what I meant was that in your front controller there
> functional time based access control checks, such that you have some
> sort of global and/or session and/or IP based governor that checks
> that normally permissible actions, such as login, forgot password, or
> key business logic flows, are not being abused in bulk.
> Say for example, someone uses Hydra or other password brute forcer. If
> you have a resource governor, it will block attempts at different
> usernames and passwords, either via linear backoff (2,5,25,125
> seconds) or outright soft locks (say 15 minutes blockage after the
> fifth attempt). WordFence plugin for WordPress does this.
> Twitter, for example, uses this for other things:
> - You can only follow or unfollow 100 people a day
> - You can only tweet so many messages a second
> - You can only DM so many different folks a second and another limit
> on per day DMs
> - You can't register many accounts from the same IP
> - AFAIK, There are global counters on worm like activity to avoid Samy
> style attacks, so if there is a tweet storm, it is mitigated
> AppSensor has an sensor for this, but YMMV.
> On Wed, Oct 22, 2014 at 7:18 AM, Beto C <beto.cuevas.v at gmail.com> wrote:
>> What is the meaning or adecuated interpretation of "resource governor" in
>> verification requirement V2.20
>> "Verify that a resource governor is in place to protect against vertical (a
>> single account tested against all possible passwords) and horizontal brute
>> forcing (all accounts tested with the same password e.g. “Password1”). A
>> correct credential entry should incur no delay. Both these governor
>> mechanisms should be active simultaneously to protect against diagonal and
>> distributed attacks."
>> Owasp-application-security-verification-standard mailing list
>> Owasp-application-security-verification-standard at lists.owasp.org
> Owasp-application-security-verification-standard mailing list
> Owasp-application-security-verification-standard at lists.owasp.org
More information about the Owasp-application-security-verification-standard