WebApp Sec mailing list archives
Re: Script Based Attacks & Form Hacks
From: Saqib Ali <docbook.xml () gmail com>
Date: Fri, 22 Jul 2005 07:36:50 -0700
it does not present an insurmountable hurdle since there is nothing in the system that can't be automated. It would be relatively simple for an attacker to control an email server(s) and therefore to be able to automate the process of parsing and responding to predictable emails.
Indeed. I agree with you. I have written a procmail script that can respond to a verification/validation email automatically. The techniques i mentioned are to just deter casual script kiddies. I agree with the Paul's suggestion to use CAPTCHA for prevent against more serious attacks. But then again even CAPTCHA image can be decyphered.
Basing a defense on the IP address of the submitter is also not really reliable because of the relative ease with which an attacker can use proxies to submit requests (http://proxy.org/lists.shtml).
However the list of proxy servers is also limited :) -- In Peace, Saqib Ali http://www.xml-dev.com/blog/
Current thread:
- Script Based Attacks & Form Hacks Chad Maniccia (Jul 21)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 22)
- RE: Script Based Attacks & Form Hacks Serghei S. (Jul 22)
- RE: Script Based Attacks & Form Hacks Paul Laudanski (Jul 24)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks leighm (Jul 21)
- Re: Script Based Attacks & Form Hacks Christopher J Varenhorst (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Paul Kurczaba (Jul 21)
- Re: Script Based Attacks & Form Hacks Sean Utt (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Andrew van der Stock (Jul 22)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
(Thread continues...)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)