[Owasp-testing] [Owasp-leaders] [Owasp-guide] cheat sheets and the development guide

Dave Wichers dave.wichers at owasp.org
Thu Apr 1 08:27:35 EDT 2010

I'd suggest you create this definition at OWASP. I have had to do that when
I find things missing from the OWASP lexicon. For example, we had no
definition or discussion of DOM based XSS for a long time so I contacted the
researcher who originally coined the term and asked him if he would write a
short article for OWASP about it, and he did. We similarly needed a writeup
on Clickjacking when it came out and some Aspect guys wrote a short
description of it.




From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Wednesday, March 31, 2010 12:16 PM
To: Kevin W. Wall; Ryan Barnett; mike.boberski at gmail.com
Cc: owasp-guide at lists.owasp.org; owasp-leaders at lists.owasp.org;
Subject: Re: [Owasp-leaders] [Owasp-guide] cheat sheets and the development


Thanks Ryan, Kevin, Mike


I thought we might of had an "OWASP definition" of Reverse BF seen as we
should be testing for it, providing detective & preventative measures etc.


Standardised definitions are useful in terms of people learning what an
issue is regardless of if it relates to code dev, test, review or
deployment. It would be good to develop an OWASP dictionary/ thesaurus, such
like the oxford dictionary for English.


Would this assist in people mixing up CSRF and XSS :0) and stuff like that?


Robust defs for issues may also help define a consistent methodology in
testing for such issues or coding against them?


who knows?











On 31 March 2010 17:01, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:

Eoin wrote:
> So....do we have an OWASP def for "reverse brute force"? Yes/No

Not that I know of. Can you provide the specific context where it
was used?

The normal use of the term is when an attacker knows random password,
but does not know the user name that it is associated with. (For instance,
perhaps the attacker saw a yellow PostIt note that said "Password:

In that case, they try to guess user ids, perhaps random, perhaps based on a
corporate directory, etc. But it is a "reverse" brute force in the sense
it is the public information (namely the user name) that is trying to be
brute forced rather than the private part (the credential).

I'm not sure who came up with the term, but I'm not particularly fond
of it. If this is what they were referring to, I've also seen it referred
to as "reverse authentication", which I think is a little better than
"reverse brute force". That's because traditionally, the term "brute force"
comes from the cryptographic community and is an attack that enumerates
an encryption algorithm's key space trying to find a match.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20100401/806abe8c/attachment.html 

More information about the Owasp-testing mailing list