WebApp Sec mailing list archives
Re: preventing sign up forms from being used for user enumeration
From: bugtraq () cgisecurity net
Date: Mon, 2 Jul 2007 17:47:32 -0400 (EDT)
Hello, Typically the way people deal with this is respond with 1 generic error message for bad user/pass's and then stick up a captcha after X failures. Gmail does a good job at demonstrating this. Regards, - Robert http://www.webappsec.org/ The Web Application Security Consortium http://www.cgisecurity.com/ Web application security news and more
Hi I'm developing a application which requires users to sign up with both a username and an email address. I only want an email address to sign up once and don't want duplication of usernames. If I just put up a warning stating that an email address is already registered if it is, the form is open to being used for user enumeration. Apart from using things like captchas to try to defeat automated attacks, is there any way to stop this? I know on things like forgotten password forms you can ask for extra info so someone guessing would have to get both bits right but I can't think of a way to do this here. Robin ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe --------------------------------------------------------------------------
Current thread:
- preventing sign up forms from being used for user enumeration Robin Wood (Jul 02)
- Re: preventing sign up forms from being used for user enumeration bugtraq (Jul 02)
- Re: preventing sign up forms from being used for user enumeration Nathan Bijnens (Jul 02)
- Re: preventing sign up forms from being used for user enumeration Javier Fernández-Sanguino (Aug 15)