WebApp Sec mailing list archives
Likelihood of brute force attacks against web apps
From: Stephen de Vries <stephen () corsaire com>
Date: Tue, 12 Oct 2004 12:58:20 +0100
Hi list,We frequently warn clients of the risks of brute force or automated attacks against their sites and recommend the use of CAPTCHA (www.captcha.net) systems, or "secret questions" to mitigate this risk. For example:
- The registration process does not use captcha like systems and could allow attackers to use an automated script to generate thousands of fictitious users. These users can then be used to perform transactions that could lead to financial loss (e.g. costs due to rejected credit card), or waste resources through database access (and wasted storage).
- The password reminder mechanism requires only the user's email address which is used to send them an email for resetting their password. But since it requires no further auth from the user (such as an answer to a secret question), an attacker could enumerate all the valid email addresses registered to the site by writing a brute force script and using a database of email addresses (this may be particularly useful to a competitor). Of course, if the email address is used as the username, this problem becomes more serious.
Although these risks are real - and I don't doubt they will be used in the future - I'm not aware of any attacks of this sort being conducted in the past. Is anyone aware of these types of attacks in real-world scenarios? Do you think these pose a serious threat?
regards, Stephen ---------------------------------------------------------------------- CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise. ---------------------------------------------------------------------- DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated. ----------------------------------------------------------------------
Current thread:
- Likelihood of brute force attacks against web apps Stephen de Vries (Oct 12)
- Re: Likelihood of brute force attacks against web apps Jeremiah Grossman (Oct 12)
- Re: Likelihood of brute force attacks against web apps Haroon Meer (Oct 14)
- Re: Likelihood of brute force attacks against web apps Saqib . N . Ali (Oct 15)
- Re: Likelihood of brute force attacks against web apps Dave Ferguson (Oct 22)
- RE: Likelihood of brute force attacks against web apps Glyn Geoghegan (Oct 24)
- Re: Likelihood of brute force attacks against web apps Dave Ferguson (Oct 22)
- RE: Likelihood of brute force attacks against web apps Bryan Murphy (Oct 28)