[OWASP ASVS] Fwd: Brute Force Attack

Andrew van der Stock vanderaj at owasp.org
Wed Oct 29 04:51:15 UTC 2014


FYI, sorry pressed reply!

thanks
Andrew

---------- Forwarded message ----------
From: Andrew van der Stock <vanderaj at owasp.org>
Date: Wed, Oct 29, 2014 at 3:47 PM
Subject: Re: [OWASP ASVS] Brute Force Attack
To: Christian Heinrich <christian.heinrich at cmlh.id.au>


Christian,

Good call. When I worked on resource governors (2006-2007-ish), it
pre-dated these common terms.

thanks
Andrew

On Sun, Oct 26, 2014 at 10:08 AM, Christian Heinrich
<christian.heinrich at cmlh.id.au> wrote:
> Andrew,
>
> "Resource governor" is not the term used by ISO 27000, SCAP, etc
>
> This should be split/reworded into "password brute force" and "API
> Rate Limiting" since they are much more common.
>
>
> On Wed, Oct 22, 2014 at 1:29 PM, Andrew van der Stock
> <vanderaj at owasp.org> wrote:
>> Essentially, what I meant was that in your front controller there
>> functional time based access control checks, such that you have some
>> sort of global and/or session and/or IP based governor that checks
>> that normally permissible actions, such as login, forgot password, or
>> key business logic flows, are not being abused in bulk.
>>
>> Say for example, someone uses Hydra or other password brute forcer. If
>> you have a resource governor, it will block attempts at different
>> usernames and passwords, either via linear backoff (2,5,25,125
>> seconds) or outright soft locks (say 15 minutes blockage after the
>> fifth attempt). WordFence plugin for WordPress does this.
>>
>> Twitter, for example, uses this for other things:
>>
>> - You can only follow or unfollow 100 people a day
>> - You can only tweet so many messages a second
>> - You can only DM so many different folks a second  and another limit
>> on per day DMs
>> - You can't register many accounts from the same IP
>> - AFAIK, There are global counters on worm like activity to avoid Samy
>> style attacks, so if there is a tweet storm, it is mitigated
>> automatically.
>>
>> AppSensor has an sensor for this, but YMMV.
>>
>> thanks
>> Andrew
>>
>> On Wed, Oct 22, 2014 at 7:18 AM, Beto C <beto.cuevas.v at gmail.com> wrote:
>>> Hello,
>>>
>>> What is the meaning or adecuated interpretation of "resource governor" in
>>> verification requirement  V2.20
>>>
>>> "Verify that a resource governor is in place to protect against vertical (a
>>> single account tested against all possible passwords) and horizontal brute
>>> forcing (all accounts tested with the same password e.g. “Password1”). A
>>> correct credential entry should incur no delay. Both these governor
>>> mechanisms should be active simultaneously to protect against diagonal and
>>> distributed attacks."
>>>
>>> Beto.
>>>
>>> _______________________________________________
>>> Owasp-application-security-verification-standard mailing list
>>> Owasp-application-security-verification-standard at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>>>
>> _______________________________________________
>> Owasp-application-security-verification-standard mailing list
>> Owasp-application-security-verification-standard at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact


More information about the Owasp-application-security-verification-standard mailing list