An introduction to web app security and brute force attacks

Who can attack an app, the most common ways security breaches happen and how to protect your business against malicious actors attempting brute force attacks

BlogUPDATED ON March 29, 2023

John Adam K&C head of marketing


DevOps Engineer cartoon depiction

As modern businesses and other organisations have become increasingly dependent on the use of web applications, the incentives for malicious actors to attack their security have increased. Web app security should be a priority for all app owners if user or company data, reputation or money might be at risk should an app be breached.

Attacks on web applications provide intruders with opportunities including:

  • Access to a company’s internal resources and sensitive information;
  • The opportunity to disrupt the functioning of an application or bypass business logic;
  • Financial gains for the attacker, and losses, both financial and reputational, for the owner of web applications.

Users of web applications are at risk because if an attack is successful, the intruder can steal personal and financial data, perform actions on websites on behalf of users, and infect a system with malware.

In this article, we’ll talk about the types of attacks, the ways threat actors can damage your system, and how you can protect your website, other web-based apps and your company’s essential data.

Can We Help You With Your Next Web Development Project?

Flexible models to fit your needs!

Common types of attacks on web applications

There are different types of attacks used to breach the security of web applications. They differ depending on the sophistication of the way malefactors have chosen to steal sensitive data or otherwise cause trouble. The most popular attacks are:

1. Implementing SQL statements

2. Running OS commands

3. Path Traversal

4. Сross-site scripting

5. Denial of service

6. Сonnecting local files

7. Implementing XML external entities

8. Downloading random files

9. Cross-site request forgery

One of the simplest but most effective ways to access targeted data from a web app is to use brute force attacks. This approach involves the attacker using code-breaking software to calculate and run through every possible combination that could make up a password and testing it to see if it is the correct password. As the password’s length increases, the amount of time, on average, to find the correct password increases exponentially. This means users can hugely reduce the risk of falling victim to a brute force attack by simply making sure they have a long password that includes symbols and digits as well as letters.

As the goal of the attack is to find a valid username and password, it’s not as difficult, or unusual, as we might assume for intruders to spend a couple of hours scrolling Instagram comments or other social media profiles of a particular user or organization in search of a careless clue to login details.

Ways to Implement a Brute Force Attack

3 things not to do in the case of a security breach on your web app


After finding that there has been an attack, it is common for app owners to reactively block the intruder’s IP address. However, we would advise you to refrain from that impulsive because:

  • an intruder can easily get around this by dynamically changing their IP address
  • blocking a public IP may cut off other users of the same address


Another bad idea is to block those users that have failed to log in multiple times. This is a dangerous approach. A potential intruder may try many valid usernames, and you’ll end up blocking each and every one of these people. Most likely this will annoy users and deter them from using your app. A lighter version of this approach is to lock an account temporarily, with a response such as “You entered your password incorrectly a few times in a row. Try again in 30 seconds.”


Captcha can be a great way to confirm an attempted user login is not a robot. But it’s also inconvenient for users. In applications that prioritize user experience, CAPTCHA should be considered a last resort. Many web app security teams use a lighter form of Captcha protection which introduces the measure only when potentially suspicious user account behaviour triggers a warning. You may have noticed Google’s major apps take this approach to Captcha as a security measure.

How to protect your web app from brute force attacks

Now we’ve covered common approaches to web app security and responses to breaches that tend not to be especially effective, what can you do that will genuinely strengthen your application’s defences?

Step #1. Define what you are protecting

Analyze what kind of resources and value should be defended as a priority. Money? Sensitive data? Reputation? A hacked app can result in losses across all three of these and should be obviously avoided at all costs.

Step #2. Detect Attacks

To effectively defend against a brute force attack, you need first to detect it. To do so you need to use tools for monitoring the network traffic of your web app. Pay attention to metrics and logs through automated monitoring tools. The HTTP metrics should be detailed enough to determine the URL and method of each incoming request, status, and the number of produced responses. Logs will provide more detailed information about each request that cannot always be collected and presented as metrics.

Step #3. Ask for additional security questions

Secret questions can be an effective way to detect would-be attackers without overly negatively impacting the user experience of regular users of your web app. Secret questions and corresponding answers are configured in a user’s profile. If a user has failed to login a few times, give them the option of answering their secret question. Make sure to also ask these questions for invalid logins, so the attacker won’t know if an account really exists or not.

Step #4. Introduce latency

During a brute force attack an intruder will make attempts with many passwords. Implementing a small delay between failed login attempts can dramatically decelerate the whole process, making it too time-consuming for an attacker. The additional latency won’t be a major inconvenience to real users who probably only need two or three attempts to get their login details correct.

Step #5. Trick tools used in brute force attacks

In a brute force attack, penetration testing tools like THC Hydra may be used. If these tools send requests with a User-Agent header set to a default value, this is a tell-tale sign of an attack tool.

By randomly returning the 200 status responses for requests with such header, an application can fool the attacker, who will no longer be able to distinguish between correct and failed attempts. It’ll work on amateur hackers who don’t know how to modify Hydra’s request headers. Note this isn’t a fully secure solution as request headers can’t always be relied on.


A majority of attacks on web apps are not particularly sophisticated and can be relatively easily avoided or detected by following the advice provided above. However, bigger apps or those seen by hackers as attractive targets for different reasons may come under attack from more sophisticated hackers. The technical expertise that the best modern cybercriminals possess make it possible to carry out attacks with a high level of complexity, including through a series of actions that occur at different times and at first glance do not seem related.

If you’re not sure you can cope with a complicated series of attacks and fear your web app may be a potential target, we’d love to help. Just get in touch by clicking below!

K&C - Creating Beautiful Technology Solutions For 20+ Years . Can We Be Your Competitive Edge?

Drop us a line to discuss your needs or next project