Brute Force Attacks use exhaustive trial-and-error to guess authentication credentials — usernames, passwords, credit-card numbers, or cryptographic keys — by systematically testing all possible combinations.
Normal vs Reverse Brute Force
| Type | Mechanism |
|---|---|
| Normal | Single username tested against many passwords |
| Reverse | Many usernames tested against one common password (e.g., “123456”) |
Session ID and URL Parameter Attacks
Beyond login credentials, brute force tools can target session IDs in URLs, iterating thousands of values to find valid sessions or access unauthorised resources.
http://exampledoc.com/note.jsp?msgID=12345← attacker iterates msgID values to read other users' messages
Prevention Techniques
- Use long, truly random passwords not based on dictionary words.
- Change passwords frequently to limit exposure after a compromise.
- Block IPs attempting access to more than three accounts simultaneously.
- Restrict failed login attempts before triggering account lockout or a time delay.
- Destroy the session after too many consecutive retries.
- Monitor HTTP POST requests from login forms for anomalous volumes.
- Review server log files regularly for suspicious login patterns.
CISSP Made Easy 