WebApp Sec mailing list archives
RE: Likelihood of brute force attacks against web apps
From: "Bryan Murphy" <bryan () guardianlogic com>
Date: Wed, 27 Oct 2004 03:58:14 -0400
I commonly see issues in the datacenter I work in with people spamming the comment functions on blog software. It generally will continue until either the resource usage raises attention or the server crashes. I believe this would be a perfect candidate for the technology you mention. -> -----Original Message----- -> From: Stephen de Vries [mailto:stephen () corsaire com] -> Sent: Tuesday, October 12, 2004 7:58 AM -> To: -> webappsec@securityfocus.comwebappsec@securityfocus.comwebapps -> ec () securityfocus com -> Subject: Likelihood of brute force attacks against web apps -> -> -> Hi list, -> -> We frequently warn clients of the risks of brute force or -> automated attacks against their sites and recommend the use -> of CAPTCHA -> (www.captcha.net) systems, or "secret questions" to mitigate -> this risk. -> For example: -> -> - The registration process does not use captcha like systems -> and could allow attackers to use an automated script to -> generate thousands of fictitious users. These users can -> then be used to perform transactions that could lead to -> financial loss (e.g. costs due to rejected credit card), or -> waste resources through database access (and wasted storage). -> -> - The password reminder mechanism requires only the user's -> email address which is used to send them an email for -> resetting their password. But since it requires no further -> auth from the user (such as an answer to a secret question), -> an attacker could enumerate all the valid email addresses -> registered to the site by writing a brute force script and -> using a database of email addresses (this may be -> particularly useful to a competitor). Of course, if the -> email address is used as the username, this problem becomes -> more serious. -> -> Although these risks are real - and I don't doubt they will -> be used in the future - I'm not aware of any attacks of this -> sort being conducted in the past. Is anyone aware of these -> types of attacks in real-world scenarios? Do you think -> these pose a serious threat? -> -> regards, -> Stephen -> -> -> -> ------------------------------------------------------------- -> --------- -> CONFIDENTIALITY: This e-mail and any files transmitted with it are -> confidential and intended solely for the use of the -> recipient(s) only. -> Any review, retransmission, dissemination or other use of, -> or taking -> any action in reliance upon this information by persons or entities -> other than the intended recipient(s) is prohibited. If you have -> received this e-mail in error please notify the sender immediately -> and destroy the material whether stored on a computer or otherwise. -> -> ------------------------------------------------------------- -> --------- -> DISCLAIMER: Any views or opinions presented within this e-mail are -> solely those of the author and do not necessarily represent those -> of Corsaire Limited, unless otherwise specifically stated. -> -> ------------------------------------------------------------- -> --------- -> -> -> ->
Current thread:
- Likelihood of brute force attacks against web apps Stephen de Vries (Oct 12)
- Re: Likelihood of brute force attacks against web apps Jeremiah Grossman (Oct 12)
- Re: Likelihood of brute force attacks against web apps Haroon Meer (Oct 14)
- Re: Likelihood of brute force attacks against web apps Saqib . N . Ali (Oct 15)
- Re: Likelihood of brute force attacks against web apps Dave Ferguson (Oct 22)
- RE: Likelihood of brute force attacks against web apps Glyn Geoghegan (Oct 24)
- Re: Likelihood of brute force attacks against web apps Dave Ferguson (Oct 22)
- RE: Likelihood of brute force attacks against web apps Bryan Murphy (Oct 28)