[OWASP_PHPSEC] isBruteForce ?

rahul chaudhary rahul300chaudhary400 at gmail.com
Tue Sep 3 18:56:17 UTC 2013

Intresting point...nice dude.. :)

but let us see....4 attempts in 5 sec...and that would be the bot
limit....remember, we are not trying to prevent the bot to NOT guess the
passwords...we want to minimize the attempts they can make so that password
guessing is not possible in real time...

The max attempt is actually limiting the bot to guess only that much
password in the "two consecutive password time limit".

But your point actually brings my attention towards one thing...suppose the
time between two attempts is very large...say 5 sec..and the max attempts
are also large...say 1000...then the bot can make 999 requests in 4.99
sec...in which case it is a problem...

But if we go by your solution, then for the legit cases, we will get a lot
of false positives...here is how....two consecutive attempts are made in 5
sec...so that would flag a brute force, when actually its not...its just
two attempts...no need to worry the developers for this small case.....

I think the best we can do it to write a side not in big letters that
please keep the max attempts to 1/3 of the two consecutive login attempt
time.... :)

On Tue, Sep 3, 2013 at 12:14 PM, Shivam Dixit <shivamd001 at gmail.com> wrote:

> Hello Rahul,
> Sorry if I interpreted the brute force condition wrongly. I will explain
> you my code, and the value of constants used in it is *not exactly defined
> * as I don't have any documentation to decide what is correct and what is
> wrong, abbas will guide us on this. However consider this first :
> Consider a scenario in which attacker uses a bot which is set such that it
> will try to brute force at *0th second then 1st second, 2nd second, 3rd
> second *and then *wait for 5 seconds* and again start from 0th second
> ,1st , 2nd ... and so on. Essentially bot will try to make *4 attempts
> and then halt for 5 seconds* and so on so forth. Will your brute force
> filter will be able to detect such kind of attacks ?
> On Tue, Sep 3, 2013 at 9:21 PM, rahul chaudhary <
> rahul300chaudhary400 at gmail.com> wrote:
>> Hello,
>> The function definition and the comments, both are correct.
>> It is written that the failed login attempt will be CONSIDERED for an
>> attack, not declared that it IS AN ATTACK. Once marked, another value is
>> checked, i.e the total login attempts. After checking both the values, we
>> can make correct decision.
>> Note: My method reduces false positives.
> *Cheers,*
> *Shivam*

Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130903/5a18dc0e/attachment.html>

More information about the OWASP_PHP_Security_Project mailing list