- It is a continuous trial and error mehtod of attempts to login to a web application using dictionary and other permutation combined characters
Preventive Measures
- Mandate web application accepts only increased length of user id credentials, especially password
- Impose web application that accepts only user id credentials that contain all valid characters including special characters like !,@,#,$, etc.
- Impose time delay between failed attempts
- Lock out targeted account access after a certain restricted failed attempts impose a password aging policy
Authentication Weaknesses and Prevention: Web-based Enumeration Attack
- Attacker experiments with various user ID credentials and analyses the responses to find valid ones through error message
Web-based Enumeration Attack Prevention
- Web applications need to respond with similar error messages to all authentication failures
– Credential submitted are not valid - Analyze URLs and their responses during security testing to authentication failures and prevent unnecessary information leakage
– http://www.foo.com/err.jsp?User=baduser&Error=Q
– http://www.foo.com/err.jsp?User=gooduser&Error=2 - Analyze web page titles and their responses during authentication failures and prevent unnecessary information leakage
– Invalid user
– Invalid authentication
Indicates non existent user id
Indicates user ID is correct but password is not
Cheng® 