Using the module Nemesida AI allows you to identify the signs of «brute-force» attacks.
«Brute-force» attack is based on the same mathematical method, in which the correct solution – a finite number or a symbolic combination is found by looking through various options. In fact, each value from a given set of potential answers (solutions) is checked for correctness.
«Brute-force» attack is a type of attack on a web application, in which a brute-force attack on the values of accounts, passwords, session data, etc. tries to access a web application or data.
Without affecting the response time of the web application, the Nemesida AI module detects such attacks using the following principle:
- The analysis of the copy of the inquiries arriving on the web application;
- Extraction necessary for decision-making data (IP, URL, ARGS, BODY);
- Filtration of the obtained data with an exception of inappropriate URI for reduction of number of false operations;
- Calculation of mutual distances between queries (Levenshtein distance and fuzzy logic are used);
- The choice of requests from one address for concrete URI in process of their proximity or requests from all addresses for concrete URI (for identification of the distributed BF attacks) within a certain temporary window;
- Blocking of a source(s) of the attack at excess of threshold values.
Going over the value of the parameter password, the attacker by the response code can determine successful authorization:
GET /vulnerabilities/brute/?username=admin&password=123456&Login=Login
By scanning page values, an attacker can access information that is not intended for a wide range of users (for example, if the web application contains the «Insecure Direct Object References» vulnerability). An attacker on the response code can determine the presence of a document / page/ user:
GET /page/?file=1 GET /page/?file=... GET /page/?file=999
Also, such attacks can be applied to web applications that use predictable session IDs, or links to reset or change the password (for example, the user name and year of registration of the account coded in the Base64):
https://site/login/activate.htm?code=dXNlcjIwMTg
Protection against such attacks is based on the detection of similar requests for a certain period of time, which have a sign of enumeration of values (for example, with each new request, the value of the input field is changed).