WebApp Sec mailing list archives
Re: Script Based Attacks & Form Hacks
From: Christian Martorella <laramies2k () yahoo com ar>
Date: Sat, 23 Jul 2005 13:52:09 +0200
Stephen de Vries wrote:
Hi Stephen, to solve that problem i think that the character position requested could be in an image, so the bruteforce script won't read it. The attacker will have to use some kind of OCR in the bruteforce attack to interpret the requested characters in the image.On 22 Jul 2005, at 14:16, Vicente Aguilera wrote:Automatic form submissions in login forms basically try to break passwords or enumerate valid users (logins). If someone tries to guess a password with password cracking attacks has not any more information in every attempt, because every time the password is different. Password cracking attacks are not effective with this method.To prevent automatic form submissions in login forms you can also use:1. One-time-logins/One-time-passwordsFor example, if the user password is: "a34.;(vad78!$" the application can ask for the password: "Put the character 1,5,2,6,8,9,10,4 of your password", and these positions could change randomly.That's only true if the attacker can't duplicate the system for generating the one time password. What I'm saying is that with the example given above, it will be trivial for an attacker to do this.For example, on the server side, the app would:1. Pick 5 random numbers between 1 and 8 (assuming that all passwords have at least 8 chars), e.g. 1,5,2,6,8 2. Present the login form and request that the user enter their username and the characters at positions 1,5,2,6,8 from their passwords.3. Process the details supplied, if incorrect goto 1. To launch a brute force attack on this system, an attacker would: 1. Get a dictionary of passwords.2. Write an automated script that grabs the login page from the target site and parses the HTML to extract the character positions requested. 3. Run the script against the app and extract the character positions requested. In this case 1,5,2,6,8.4. Read the current word from the dictionary. 5. Extract characters 1,5,2,6,86. Submit the login request with the username and the extracted characters. 7. If the login fails, move to the next word in the dictionary and goto step 3regards, Stephen
Cheers!
Christian Martorella
___________________________________________________________
1GB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
http://correo.yahoo.com.ar
Current thread:
- Re: Script Based Attacks & Form Hacks, (continued)
- Re: Script Based Attacks & Form Hacks leighm (Jul 21)
- Re: Script Based Attacks & Form Hacks Christopher J Varenhorst (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Paul Kurczaba (Jul 21)
- Re: Script Based Attacks & Form Hacks Sean Utt (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Andrew van der Stock (Jul 22)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 23)
- Re: Script Based Attacks & Form Hacks Christian Martorella (Jul 23)
- RE: Script Based Attacks & Form Hacks Jose Varghese (Jul 22)