WebApp Sec mailing list archives

Re: preventing sign up forms from being used for user enumeration

From: bugtraq () cgisecurity net
Date: Mon, 2 Jul 2007 17:47:32 -0400 (EDT)

Hello,

Typically the way people deal with this is respond with 1 generic error message
for bad user/pass's and then stick up a captcha after X failures. Gmail does
a good job at demonstrating this.

Regards,
- Robert 
http://www.webappsec.org/ The Web Application Security Consortium
http://www.cgisecurity.com/ Web application security news and more

Hi
I'm developing a application which requires users to sign up with both
a username and an email address. I only want an email address to sign
up once and don't want duplication of usernames.

If I just put up a warning stating that an email address is already
registered if it is, the form is open to being used for user
enumeration. Apart from using things like captchas to try to defeat
automated attacks, is there any way to stop this?

I know on things like forgotten password forms you can ask for extra
info so someone guessing would have to get both bits right but I can't
think of a way to do this here.

Robin

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------

Current thread:

preventing sign up forms from being used for user enumeration Robin Wood (Jul 02)
- Re: preventing sign up forms from being used for user enumeration bugtraq (Jul 02)
- Re: preventing sign up forms from being used for user enumeration Nathan Bijnens (Jul 02)
- Re: preventing sign up forms from being used for user enumeration Javier Fernández-Sanguino (Aug 15)