| VID |
21810 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
A login page using Form-based authentication appears to have an account with a weak login combination. A remote attacker can perform a brute force dictionary attack via the login form against a target Web application. Brute Forcing is the process of trying various passwords from a dictionary file (automatically), for a given username, until the password matches the username. This check will simulate this kind of brute force attack, using the dictionary file specified in a scan policy that contains a list of the most common passwords, and let you know if your site is vulnerable to this sort of attack (and any passwords found). A remote attacker can exploit this vulnerability to gain privileges of an authorized user to the affected application. This may aid an attacker in further attacks against the underlying system; other attacks are also possible.
* Note: This check requires a definition file for the form you want to crack into. If you need to crack into a special HTML form, then you would need to add lines defined for the form to the definition file. Writing definition files is explained in "Common Settings" -> "Web Application Setting" of the Policy Editor.
* Platforms Affected:
Any HTTP server Any version
Any operating system Any version |
| Recommendation |
Set up the password for the Login username to a value that is difficult to guess immediately. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
