Home > Learning Center > Application Security > Brute Force 

Brute Force

Brute force attacks use exhaustive trial and error methods in order to find legitimate authentication credentials.

Detailed Description

The brute force attack is a method of obtaining a user’s authentication credentials. Authentication is the process of determining if a user is who he/she claims to be. It is commonly performed through the usage of usernames and passwords. Knowledge of the password is assumed to guarantee that the user is authentic. Each user initially registers (or is registered by someone else) using an assigned or self-declared password. On each subsequent use, the user must know and use the previously declared password.

Using brute force, attackers attempt combinations of the accepted character set in order to find a specific combination that gains access to the authorized area. Consider the following form.

Attackers can use brute force applications, such as password guessing tools and scripts, in order to try all the combinations of well-known usernames and passwords. Such applications may use default password databases or dictionaries that contain commonly used passwords or they may try all combinations of the accepted character set in the password field.

User identification is not always achieved with a username and password pair. Using a brute force tool makes it easy to find a legitimate session ID that appears in a URL (see Parameter Tampering). A session ID is an identification string used to associate specific Web pages with a specific user. The following is an example of such a session ID.


This is an example of a greeting card site that has a unique session ID for each greeting card. Using Brute Force applications, attackers may try thousands of session IDs embedded in a legitimate URL in an attempt to view greeting cards that they are not authorized to view.

It is relatively easy to find a legitimate key for an object id. For example, consider the URL:


In this example, the dynamic page requested by the browser is called Displaymsg.asp and the browser sends the Web server the parameter msgID with a value of 12345. An attacker may try brute force values for msgID to try and read other users’ messages.