Organisations are increasingly engaging and enabling their customers through mobile or web applications. But in so doing they are increasing business risk.

Driving customer interaction through digital channels is the desired goal. The undesired consequence is a jump in cyber danger.

Over the coming weeks we will look at modern cyber attacks threatening businesses moving into the digital space. In today’s post we examine brute force attacks. These seek to obtain customer credentials and disrupt online services.


“A brute force attack is a trial-and-error method used to obtain information such as a user password”


Hammering web services

Brute force attacks have been around for a long time and exist today in many forms. These attacks are not a sophisticated method of exploiting a digital application, yet they are incredibly effective. Traditional defences such as web application firewalls (WAFs) rarely pick them up.

Brute force attacks exploit the legitimate use cases of an application, as opposed to illegitimate uses like XSS or SQL Injection. Subsequently, it is extremely difficult to proactively detect with any accuracy the difference between the good and the bad.

Who’s vulnerable?

A brute force attack typically targets user login or user account reset forms. The attacker attempts to guess usernames and passwords to gain access to an account.

Normally the attacker first attempts to determine valid usernames from a password reset field because services often return errors when incorrect usernames are entered. Once a list of valid usernames is accumulated, the attacker will use software to rapidly attempt to login. Typically they try each username combination with randomly guessed passwords, or passwords bought from a compromised data source.

For an attacker this process can be very simple because the software they use is growing ever more sophisticated and cheap to run. As computer hardware grows in power and reduces in cost, setting up an automated attack targeting specific forms and fields on web services is almost trivial. Any would-be attacker can bombard a chosen target.

After the attack

When this type of attack is successful it can lead to significant damages for the user, the organisation and the system itself.

  • For the user, private data, including their username and password, will often be sold on the dark web or published publicly.
  • For the organisation, the publishing of private data can cause significant damage to its reputation and the public perception of “trust”.
  • For the system, when one user’s credentials have been compromised, attackers may be able to use similar attacks on other users. Once a system is compromised, successful attacks can encourage subsequent attacks, which lead to further damage.

Stopping the spam

In small, custom-built applications, there are several developer-level measures and fixes that can be employed to reduce the threat of brute force attacks. We recommend:

  • displaying generic errors on login and password reset fields to prevent revealing valid usernames
  • limiting the account rate to ensure a compromised username can’t submit many password guesses
  • blacklisting IPs to slow down an attacker.

However, at scale these mechanisms alone are not enough. Enterprise-level solutions, such as request rate limiting through a WAF, are often employed at larger scale. But these technologies were not initially designed to stop this kind of attack.

In this environment the more sophisticated and tailored technologies such as Kasada’s Polyform thrive. They mitigate the risk of many automated attacks, including brute force attacks. Find out more about Polyform’s system protection against brute force attacks here.

Wrapping up

Brute force attacks will remain a significant and constant threat as more and more services move online. Organisations transitioning into new digital experiences need to be aware of this threat and ensure that their services are properly protected.

In our next post, we will discuss scripted digital application denial-of-service (DOS) attacks. These threats have received widespread coverage for bringing down small and large-scale web services.