[OWASP ASVS] Fwd: Brute Force Attack
Andrew van der Stock
vanderaj at owasp.org
Wed Oct 29 04:51:15 UTC 2014
FYI, sorry pressed reply!
---------- Forwarded message ----------
From: Andrew van der Stock <vanderaj at owasp.org>
Date: Wed, Oct 29, 2014 at 3:47 PM
Subject: Re: [OWASP ASVS] Brute Force Attack
To: Christian Heinrich <christian.heinrich at cmlh.id.au>
Good call. When I worked on resource governors (2006-2007-ish), it
pre-dated these common terms.
On Sun, Oct 26, 2014 at 10:08 AM, Christian Heinrich
<christian.heinrich at cmlh.id.au> wrote:
> "Resource governor" is not the term used by ISO 27000, SCAP, etc
> This should be split/reworded into "password brute force" and "API
> Rate Limiting" since they are much more common.
> On Wed, Oct 22, 2014 at 1:29 PM, Andrew van der Stock
> <vanderaj at owasp.org> wrote:
>> Essentially, what I meant was that in your front controller there
>> functional time based access control checks, such that you have some
>> sort of global and/or session and/or IP based governor that checks
>> that normally permissible actions, such as login, forgot password, or
>> key business logic flows, are not being abused in bulk.
>> Say for example, someone uses Hydra or other password brute forcer. If
>> you have a resource governor, it will block attempts at different
>> usernames and passwords, either via linear backoff (2,5,25,125
>> seconds) or outright soft locks (say 15 minutes blockage after the
>> fifth attempt). WordFence plugin for WordPress does this.
>> Twitter, for example, uses this for other things:
>> - You can only follow or unfollow 100 people a day
>> - You can only tweet so many messages a second
>> - You can only DM so many different folks a second and another limit
>> on per day DMs
>> - You can't register many accounts from the same IP
>> - AFAIK, There are global counters on worm like activity to avoid Samy
>> style attacks, so if there is a tweet storm, it is mitigated
>> AppSensor has an sensor for this, but YMMV.
>> On Wed, Oct 22, 2014 at 7:18 AM, Beto C <beto.cuevas.v at gmail.com> wrote:
>>> What is the meaning or adecuated interpretation of "resource governor" in
>>> verification requirement V2.20
>>> "Verify that a resource governor is in place to protect against vertical (a
>>> single account tested against all possible passwords) and horizontal brute
>>> forcing (all accounts tested with the same password e.g. “Password1”). A
>>> correct credential entry should incur no delay. Both these governor
>>> mechanisms should be active simultaneously to protect against diagonal and
>>> distributed attacks."
>>> Owasp-application-security-verification-standard mailing list
>>> Owasp-application-security-verification-standard at lists.owasp.org
>> Owasp-application-security-verification-standard mailing list
>> Owasp-application-security-verification-standard at lists.owasp.org
> Christian Heinrich
More information about the Owasp-application-security-verification-standard