HIGH brute force

Brute Force Attack

Test your API against brute force

How Brute Force Works

Brute force attacks work by systematically trying every possible combination of credentials until the correct one is found. Think of it like trying every key on a keyring until you find the one that opens the door. The attacker typically uses automated tools to rapidly test username and password combinations against a login endpoint.

The attack usually follows this pattern:

  • Credential collection: Attackers gather common usernames (admin, test, guest) and password lists from breaches or common patterns
  • Rate-limited attempts: Tools send authentication requests at high speed, often thousands per minute
  • Response analysis: Different error messages ("invalid username" vs "invalid password") help attackers eliminate possibilities
  • Success detection: When the correct credentials are found, the attacker gains access

Modern brute force attacks often use "credential stuffing" — testing username/password pairs stolen from other breaches. Since people reuse passwords across services, this approach can be surprisingly effective without even guessing passwords.

Brute Force Against APIs

APIs are particularly vulnerable to brute force because they're designed for machine-to-machine communication. Unlike web forms with rate limiting and CAPTCHAs, APIs often lack these protections, making them ideal targets.

Common API targets include:

  • Authentication endpoints: /login, /authenticate, /token
  • Password reset: /reset-password, /forgot-password (often allow unlimited attempts)
  • Token endpoints: /refresh, /renew (can be chained for extended access)

Attackers exploit several API-specific weaknesses:

// Example: Predictable error responses help attackers
POST /api/v1/auth/login
{ "username": "admin", "password": "wrong" }

// Response might say "username not found" or "incorrect password"
// This tells attackers which usernames are valid

API rate limiting is often implemented incorrectly. Many APIs only rate limit by IP address, but cloud providers give attackers access to thousands of IP addresses. Others rate limit by user ID, but attackers can create unlimited accounts.

Time-based attacks are another concern. Without proper lockout mechanisms, attackers can try credentials slowly over weeks or months, eventually finding valid combinations without triggering alerts.

Detection & Prevention

Effective brute force protection requires multiple layers of defense. Here's how to implement comprehensive protection:

Rate Limiting Strategies

Simple rate limiting by IP is insufficient. Implement sophisticated controls:

// Rate limit by multiple factors
rateLimit({
  windowMs: 900000, // 15 minutes
  max: 5, // 5 requests
  keyGenerator: (req) => {
    return req.ip + ':' + req.body.username;
  }
});

Consider exponential backoff: increase the delay between allowed attempts after each failure. After 3 failed attempts, wait 1 second; after 6, wait 2 seconds; after 9, wait 4 seconds, and so on.

Authentication Hardening

Implement these authentication controls:

  • Account lockout: Lock accounts after 5-10 failed attempts for 15-30 minutes
  • Progressive delays: Add increasing delays between authentication attempts
  • Multi-factor authentication: Require additional verification for sensitive operations
  • Uniform error messages: Always respond with "invalid credentials" regardless of which field was wrong

Monitoring & Detection

Set up monitoring to detect brute force patterns:

// Monitor for suspicious patterns
const failedLogins = new Map();

app.post('/api/v1/auth/login', (req, res) => {
  const key = req.ip + ':' + req.body.username;
  
  if (!failedLogins.has(key)) {
    failedLogins.set(key, { count: 0, first: Date.now() });
  }
  
  const record = failedLogins.get(key);
  record.count++;
  
  // Alert if 10+ failures in 5 minutes from same source
  if (record.count > 10 && (Date.now() - record.first) < 300000) {
    alertSecurityTeam(key, record.count);
  }
});

middleBrick can help identify brute force vulnerabilities in your APIs. The scanner tests authentication endpoints for weak rate limiting, predictable error messages, and missing lockout mechanisms. It provides specific findings with severity levels and remediation steps, helping you understand exactly where your API is vulnerable before attackers do.

For continuous protection, middleBrick's Pro plan includes scheduled scanning that can alert you if new brute force vulnerabilities appear in your APIs after deployments or configuration changes.

Protect against brute force View all attack techniques

Frequently Asked Questions

How can I tell if my API is being brute forced?

Look for unusual patterns in your authentication logs: sudden spikes in failed login attempts, repeated attempts from the same IP or user agent, or attempts using common username patterns. Monitor for requests hitting authentication endpoints at rates exceeding normal user behavior. Security information and event management (SIEM) tools can help correlate these patterns across your infrastructure.

Are CAPTCHAs effective against API brute force?

CAPTCHAs can help but aren't a complete solution for APIs. While they stop simple automated tools, sophisticated attackers use CAPTCHA-solving services or machine learning to bypass them. CAPTCHAs also create poor user experiences and can be bypassed through account creation with disposable emails. Better approaches include rate limiting, exponential backoff, and multi-factor authentication. CAPTCHAs should be one layer in a defense-in-depth strategy, not the primary protection.