WebApp Sec mailing list archives
RE: Likelihood of brute force attacks against web apps
From: "Glyn Geoghegan" <glyng () corsaire com>
Date: Sat, 23 Oct 2004 15:02:57 +1000
Hi Dave, That solution includes two dangerous assumptions: 1/ That the password is stored by the application in recoverable form (rather than a hash for example); both bad practice and a possible breach of data protection laws. 2/ That sending a user's password in clear text over email systems is a secure method; inappropriate for most sites. For example, an attacker could provoke the password recovery procedure for his colleague and sniff the email containing the password with relative ease. What Stephen is after are 'real' anecdotes to build a more compelling argument for the use of technologies like Captcha. It's easy to identify these risks and propose solutions, but it is important to demonstrate that these attacks really are likely and the risks real. Otherwise the recommendations may be perceived as potentially costly solutions pitched from a security best-practice perspective for the sake of it. Cheers, Glyn. -- G l y n G e o g h e g a n Principal Security Consultant http://www.corsaire.com
-----Original Message----- From: Dave Ferguson [mailto:dferguson () touchnet com] Sent: 23 October 2004 07:09 To: webappsec () securityfocus com Subject: Re: Likelihood of brute force attacks against web apps In scenario #2, rather than resetting the password, wouldn't it be better to have the user enter his e-mail address and then (asssuming it is a valid address in the system) have the system send an e-mail to that address with his current password? Thanks, Dave F. Saqib.N.Ali () seagate com wrote:Hello, Why don't you use captcha for both of these scenarios? Itshould preventany brute force attacks. For scenario #2, you can restrict to 3 attempts from agiven IP, within a24 hour period. Thanks. Saqib Ali http://validate.sf.net Stephen de Vries <stephen () corsaire com> wrote on 10/12/200404:58:20 AM:Hi list, We frequently warn clients of the risks of brute force or automated attacks against their sites and recommend the use of CAPTCHA (www.captcha.net) systems, or "secret questions" tomitigate this risk.For example: - The registration process does not use captcha likesystems and couldallow attackers to use an automated script to generate thousands of fictitious users. These users can then be used to performtransactionsthat could lead to financial loss (e.g. costs due to rejected credit card), or waste resources through database access (andwasted storage).- The password reminder mechanism requires only the user's email address which is used to send them an email for resetting their password. But since it requires no further auth from theuser (such asan answer to a secret question), an attacker could enumerate all the valid email addresses registered to the site by writing abrute forcescript and using a database of email addresses (this may be particularly useful to a competitor). Of course, if theemail addressis used as the username, this problem becomes more serious. Although these risks are real - and I don't doubt they willbe used inthe future - I'm not aware of any attacks of this sortbeing conductedin the past. Is anyone aware of these types of attacks inreal-worldscenarios? Do you think these pose a serious threat? regards, Stephen----------------------------------------------------------------------CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of therecipient(s) only.Any review, retransmission, dissemination or other useof, or takingany action in reliance upon this information by personsor entitiesother than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer orotherwise.----------------------------------------------------------------------DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated.----------------------------------------------------------------------
Current thread:
- Likelihood of brute force attacks against web apps Stephen de Vries (Oct 12)
- Re: Likelihood of brute force attacks against web apps Jeremiah Grossman (Oct 12)
- Re: Likelihood of brute force attacks against web apps Haroon Meer (Oct 14)
- Re: Likelihood of brute force attacks against web apps Saqib . N . Ali (Oct 15)
- Re: Likelihood of brute force attacks against web apps Dave Ferguson (Oct 22)
- RE: Likelihood of brute force attacks against web apps Glyn Geoghegan (Oct 24)
- Re: Likelihood of brute force attacks against web apps Dave Ferguson (Oct 22)
- RE: Likelihood of brute force attacks against web apps Bryan Murphy (Oct 28)