Re: Script Based Attacks & Form Hacks

[Saqib Ali <docbook.xml () gmail com>]

Hello Chad,

I would like divide the script based attacks in two categories:

1) Directly making a GET request to a form processor from a script.
2) Using a automated tool (e.g. AutoIt) to replay the same actions
indefinitely (e.g. Launch browser -> Open URL -> File in text -> Click
on submit button etc)

Here are my thoughts on each of the above 2 categories:

1) This type of attack can easily be foiled using:
a) POST method instead of GET. 
b) adding Tokens to your forms.  For a detailed description of Tokens
visit: http://shiflett.org/articles/foiling-cross-site-attacks

2) This type are a little harder to foil. However not impossible. For
external facing applications, I always send an email for
validation/verification. Till the user authenticates his/her address,
I keep the form data in a temporary table. The enteries in the temp
table have a life time of 1 hour, after that they get deleted. Also
make the email address / IP address the primary key in your temp
table. This will prevent one single machine from filling up the temp
table. It would have to be DDOS attack to fill up the TEMP table. But
then again, I set a max limit on the number of entries in the temp
table.


> One thing I have not heard any one discuss is the use of automated
> scripts and form hacking. I could easily write a Java program to
> attack any ASP,JSP,PHP etc.. simply by viewing the page source to find
> the parameters the form processor will be looking for. You could use
> this to fill up some ones database with garbage bring the server to a
> standstill or worse yet bypass all the fancy javascript you had on the
> calling page. Some web applications actually use javascript to
> calcualte currency transactions.

-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/