Re: Script Based Attacks & Form Hacks

[Stephen de Vries <stephen () corsaire com>]

Hi Saqib,

On 22 Jul 2005, at 00:44, Saqib Ali wrote:

> <snip>

> 2) This type are a little harder to foil. However not impossible. For
> external facing applications, I always send an email for
> validation/verification. Till the user authenticates his/her address,
> I keep the form data in a temporary table. The enteries in the temp
> table have a life time of 1 hour, after that they get deleted. Also
> make the email address / IP address the primary key in your temp
> table. This will prevent one single machine from filling up the temp
> table. It would have to be DDOS attack to fill up the TEMP table. But
> then again, I set a max limit on the number of entries in the temp
> table.

This type of defense is likely to deter the casual attacker from  
attempting an automated attack, but
it does not present an insurmountable hurdle since there is nothing  
in the system that can't be automated.
It would be relatively simple for an attacker to control an email  
server(s) and therefore to be able to automate the process of parsing  
and responding to predictable emails.
Basing a defense on the IP address of the submitter is also not  
really reliable because of the relative ease with which an attacker  
can use proxies to submit requests (http://proxy.org/lists.shtml).
I don't see how the limit on the temp table provides any degree of  
protection, since once this table is filled with bogus data,  
legitimate users will not be allowed to submit forms - which is an  
effective denial of service condition in itself.

regards,
Stephen