WebApp Sec mailing list archives

Re: Script Based Attacks & Form Hacks

From: Saqib Ali <docbook.xml () gmail com>
Date: Fri, 22 Jul 2005 07:36:50 -0700

it does not present an insurmountable hurdle since there is nothing
in the system that can't be automated.
It would be relatively simple for an attacker to control an email
server(s) and therefore to be able to automate the process of parsing
and responding to predictable emails.


Indeed. I agree with you. I have written a procmail script that can
respond to a verification/validation email automatically. The
techniques i mentioned are to just deter casual script kiddies.  I
agree with the Paul's suggestion to use CAPTCHA for prevent against
more serious attacks. But then again even CAPTCHA image can be
decyphered.

Basing a defense on the IP address of the submitter is also not
really reliable because of the relative ease with which an attacker
can use proxies to submit requests (http://proxy.org/lists.shtml).


However the list of proxy servers is also limited :)

-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/

Current thread:

Script Based Attacks & Form Hacks Chad Maniccia (Jul 21)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)
  - Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
    - Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 22)
  - RE: Script Based Attacks & Form Hacks Serghei S. (Jul 22)
    - RE: Script Based Attacks & Form Hacks Paul Laudanski (Jul 24)
- Re: Script Based Attacks & Form Hacks leighm (Jul 21)
- Re: Script Based Attacks & Form Hacks Christopher J Varenhorst (Jul 21)
  - Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Paul Kurczaba (Jul 21)
  - Re: Script Based Attacks & Form Hacks Sean Utt (Jul 22)
  - Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
    - Re: Script Based Attacks & Form Hacks Andrew van der Stock (Jul 22)
    - Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)

(Thread continues...)