WebApp Sec mailing list archives
Re: Script Based Attacks & Form Hacks
From: Vicente Aguilera <vaguilera () isecauditors com>
Date: Fri, 22 Jul 2005 16:16:37 +0200
Hi Stephen, Stephen de Vries escribió:
Hi Vicente, On 22 Jul 2005, at 07:46, Vicente Aguilera wrote:To prevent automatic form submissions in login forms you can also use: 1. One-time-logins/One-time-passwordsFor example, if the user password is: "a34.;(vad78!$" the application can ask for the password: "Put the character 1,5,2,6,8,9,10,4 of your password", and these positions could change randomly.Perhaps I don't understand this solution, but it looks as though this could be automated by a script. It would be fairly trivial to write a script that parses the sentence "Put the character 1,5,2,6,8,9,10,4 of your password" and submits the correct characters from the password to the login form...(?)
Yes, but this is not the aim.Automatic form submissions in login forms basically try to break passwords or enumerate valid users (logins). If someone tries to guess a password with password cracking attacks has not any more information in every attempt, because every time the password is different. Password cracking attacks are not effective with this method.
Yes! An automatic reactivation of the account is necessary after a prudential time.2. Account lock For example after 5 unsuccessful attempts.There is always the danger that an attacker could use this to lockout all accounts on the system - which is also an effective DoS.
Regards, Vicente Aguilera DÃaz OPST, OPSA, ITIL vaguilera () isecauditors com
Current thread:
- RE: Script Based Attacks & Form Hacks, (continued)
- RE: Script Based Attacks & Form Hacks Serghei S. (Jul 22)
- RE: Script Based Attacks & Form Hacks Paul Laudanski (Jul 24)
- RE: Script Based Attacks & Form Hacks Serghei S. (Jul 22)
- Re: Script Based Attacks & Form Hacks leighm (Jul 21)
- Re: Script Based Attacks & Form Hacks Christopher J Varenhorst (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Paul Kurczaba (Jul 21)
- Re: Script Based Attacks & Form Hacks Sean Utt (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Andrew van der Stock (Jul 22)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 23)
- Re: Script Based Attacks & Form Hacks Christian Martorella (Jul 23)
- RE: Script Based Attacks & Form Hacks Jose Varghese (Jul 22)