WebApp Sec mailing list archives
Re: Script Based Attacks & Form Hacks
From: Saqib Ali <docbook.xml () gmail com>
Date: Thu, 21 Jul 2005 17:44:44 -0700
Hello Chad, I would like divide the script based attacks in two categories: 1) Directly making a GET request to a form processor from a script. 2) Using a automated tool (e.g. AutoIt) to replay the same actions indefinitely (e.g. Launch browser -> Open URL -> File in text -> Click on submit button etc) Here are my thoughts on each of the above 2 categories: 1) This type of attack can easily be foiled using: a) POST method instead of GET. b) adding Tokens to your forms. For a detailed description of Tokens visit: http://shiflett.org/articles/foiling-cross-site-attacks 2) This type are a little harder to foil. However not impossible. For external facing applications, I always send an email for validation/verification. Till the user authenticates his/her address, I keep the form data in a temporary table. The enteries in the temp table have a life time of 1 hour, after that they get deleted. Also make the email address / IP address the primary key in your temp table. This will prevent one single machine from filling up the temp table. It would have to be DDOS attack to fill up the TEMP table. But then again, I set a max limit on the number of entries in the temp table.
One thing I have not heard any one discuss is the use of automated scripts and form hacking. I could easily write a Java program to attack any ASP,JSP,PHP etc.. simply by viewing the page source to find the parameters the form processor will be looking for. You could use this to fill up some ones database with garbage bring the server to a standstill or worse yet bypass all the fancy javascript you had on the calling page. Some web applications actually use javascript to calcualte currency transactions.
-- In Peace, Saqib Ali http://www.xml-dev.com/blog/
Current thread:
- Script Based Attacks & Form Hacks Chad Maniccia (Jul 21)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 22)
- RE: Script Based Attacks & Form Hacks Serghei S. (Jul 22)
- RE: Script Based Attacks & Form Hacks Paul Laudanski (Jul 24)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks leighm (Jul 21)
- Re: Script Based Attacks & Form Hacks Christopher J Varenhorst (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Paul Kurczaba (Jul 21)
- Re: Script Based Attacks & Form Hacks Sean Utt (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
(Thread continues...)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)