<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="&#1;" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I&#8217;d suggest you create this definition at OWASP. I have had to
do that when I find things missing from the OWASP lexicon. For example, we had
no definition or discussion of DOM based XSS for a long time so I contacted the
researcher who originally coined the term and asked him if he would write a
short article for OWASP about it, and he did. We similarly needed a writeup on
Clickjacking when it came out and some Aspect guys wrote a short description of
it.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>-Dave<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
owasp-leaders-bounces@lists.owasp.org
[mailto:owasp-leaders-bounces@lists.owasp.org] <b>On Behalf Of </b>Eoin<br>
<b>Sent:</b> Wednesday, March 31, 2010 12:16 PM<br>
<b>To:</b> Kevin W. Wall; Ryan Barnett; mike.boberski@gmail.com<br>
<b>Cc:</b> owasp-guide@lists.owasp.org; owasp-leaders@lists.owasp.org;
owasp-testing<br>
<b>Subject:</b> Re: [Owasp-leaders] [Owasp-guide] cheat sheets and the
development guide<o:p></o:p></span></p>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<div>

<p class=MsoNormal>Thanks Ryan, Kevin, Mike<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>I thought we might of had an &quot;OWASP definition&quot; of
Reverse BF seen as we should be testing for it, providing detective &amp;
preventative measures etc.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>Standardised definitions are useful in terms of people
learning what an issue is regardless of if it relates to code dev, test, review
or deployment. It would be good to develop an OWASP dictionary/ thesaurus, such
like the oxford dictionary for English.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>Would this assist in people mixing up CSRF and XSS :0) and
stuff like that?<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>Robust defs for issues may also help define a consistent
methodology in testing for such issues or coding against them?<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>who knows?<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>-ek<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><br>
<br>
&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>On 31 March 2010 17:01, Kevin W. Wall &lt;<a
href="mailto:kevin.w.wall@gmail.com">kevin.w.wall@gmail.com</a>&gt; wrote:<o:p></o:p></p>

<div>

<p class=MsoNormal style='margin-bottom:12.0pt'>Eoin wrote:<br>
&gt; So....do we have an OWASP def for &quot;reverse brute force&quot;? Yes/No<o:p></o:p></p>

</div>

<p class=MsoNormal>Not that I know of. Can you provide the specific context
where it<br>
was used?<br>
<br>
The normal use of the term is when an attacker knows random password,<br>
but does not know the user name that it is associated with. (For instance,<br>
perhaps the attacker saw a yellow PostIt note that said &quot;Password:
%ntH07,s&quot;.)<br>
<br>
In that case, they try to guess user ids, perhaps random, perhaps based on a<br>
corporate directory, etc. But it is a &quot;reverse&quot; brute force in the
sense that<br>
it is the public information (namely the user name) that is trying to be<br>
brute forced rather than the private part (the credential).<br>
<br>
I'm not sure who came up with the term, but I'm not particularly fond<br>
of it. If this is what they were referring to, I've also seen it referred<br>
to as &quot;reverse authentication&quot;, which I think is a little better than<br>
&quot;reverse brute force&quot;. That's because traditionally, the term
&quot;brute force&quot;<br>
comes from the cryptographic community and is an attack that enumerates through<br>
an encryption algorithm's key space trying to find a match.<br>
<br>
-kevin<br>
<span style='color:#888888'>--<br>
Kevin W. Wall<br>
&quot;The most likely way for the world to be destroyed, most experts agree,<br>
is by accident. That's where we come in; we're computer professionals.<br>
We cause accidents.&quot; &nbsp; &nbsp; &nbsp; &nbsp;-- Nathaniel Borenstein,
co-creator of MIME</span><o:p></o:p></p>

</div>

<p class=MsoNormal><br>
<br clear=all>
<br>
-- <br>
Eoin Keary<br>
OWASP Global Board Member<br>
OWASP Code Review Guide Lead Author<br>
<br>
<a href="http://asg.ie/">http://asg.ie/</a><br>
<a href="https://twitter.com/EoinKeary">https://twitter.com/EoinKeary</a><o:p></o:p></p>

</div>

</body>

</html>