WebApp Sec mailing list archives
Re: Script Based Attacks & Form Hacks
From: Stephen de Vries <stephen () corsaire com>
Date: Fri, 22 Jul 2005 09:54:51 +0000
Hi Saqib, On 22 Jul 2005, at 00:44, Saqib Ali wrote:
<snip>
2) This type are a little harder to foil. However not impossible. For external facing applications, I always send an email for validation/verification. Till the user authenticates his/her address, I keep the form data in a temporary table. The enteries in the temp table have a life time of 1 hour, after that they get deleted. Also make the email address / IP address the primary key in your temp table. This will prevent one single machine from filling up the temp table. It would have to be DDOS attack to fill up the TEMP table. But then again, I set a max limit on the number of entries in the temp table.
This type of defense is likely to deter the casual attacker from attempting an automated attack, but it does not present an insurmountable hurdle since there is nothing in the system that can't be automated. It would be relatively simple for an attacker to control an email server(s) and therefore to be able to automate the process of parsing and responding to predictable emails. Basing a defense on the IP address of the submitter is also not really reliable because of the relative ease with which an attacker can use proxies to submit requests (http://proxy.org/lists.shtml). I don't see how the limit on the temp table provides any degree of protection, since once this table is filled with bogus data, legitimate users will not be allowed to submit forms - which is an effective denial of service condition in itself.
regards, Stephen
Current thread:
- Script Based Attacks & Form Hacks Chad Maniccia (Jul 21)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 22)
- RE: Script Based Attacks & Form Hacks Serghei S. (Jul 22)
- RE: Script Based Attacks & Form Hacks Paul Laudanski (Jul 24)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks leighm (Jul 21)
- Re: Script Based Attacks & Form Hacks Christopher J Varenhorst (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Paul Kurczaba (Jul 21)
- Re: Script Based Attacks & Form Hacks Sean Utt (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Andrew van der Stock (Jul 22)
(Thread continues...)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)