Honeypot Processors: Basic Authentication Processor: Incidents - Basic Authentication Brute Force

Complexity: Medium (3.0)

Default Response: 1X - CAPTCHA; 2x = Permanent Block.

Cause: Apache is a very common webserver. As a result, hackers will often look for vulnerabilities specific to Apache, because there is a good chance that any given website is running Apache. One such vulnerability involves the use of an .htaccess file to provide directory-level configuration (password-protected resources, directory indexing options, and so on), while not sufficiently protecting the .htaccess file itself. By convention, configuration files should not be exposed to the public — so if a user requests .htaccess or a related resource, they should get either a "404 Not Found" or "403 Forbidden" error. Unfortunately, an improperly-configured installation of Apache cannot block requests for these resources. In such a scenario, a hacker could gain valuable knowledge of the way the server is configured. WebApp Secure will automatically block any requests for the .htaccess resource, and instead return a fake version of the file, which contains the directives necessary to password-protect a fake resource. Should the user request the password-protected resource, WebApp Secure will simulate the correct authentication method defined in .htaccess, and simulate the existence of the fake resource. The "Basic Authentication Brute Force" incident will trigger in the event that the user requests the fake passwordprotected file and repeatedly supplies an invalid username and password (as would be the case if the user were guessing various username and password combinations).

Behavior: Hackers will often attempt to get the .htaccess file from various directories on a website in an effort to find valuable information about how the server is configured. This is usually done to find a "Server Misconfiguration" weakness that might expose a "Credential/Session Prediction", "OS Commanding", "Path Traversal", or "URL Redirector Abuse" vulnerability among others.

Note: For information on the attack types mentioned here, go to The Web Application Security Consortium Web Site and search for the attack name to learn more about it.

In this specific case, the attacker is requesting a different resource that is referenced only from .htaccess. The fake resource is password-protected, and the user has attempted to authenticate with a large number of bad credentials. This is most likely in an effort to guess a valid username and password combination, such as "admin:admin", or "guest:guest". This is a poor method for locating valid usernames and passwords, because the user database file .htpasswd is actually exposed (albeit fake). So a brute force attack generally means the attacker is less sophisticated. Because the password-protected file is not referenced from anywhere outside of .htaccess, this incident should not happen unless an "Apache Configuration Requested" incident has occurred first. If that is not the case, then the hacker has likely established two independent profiles in WebApp Secure. This type of behavior is generally performed when attempting to establish a successful attack vector.