Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Likelihood of brute force attacks against web apps

from [Stephen de Vries] Network Security [Permanent Link]
Subject: Likelihood of brute force attacks against web apps
Date: Tue, 12 Oct 2004 12:58:20 +0100 

Hi list,

We frequently warn clients of the risks of brute force or automated attacks against their sites and recommend the use of CAPTCHA (www.captcha.net) systems, or "secret questions" to mitigate this risk. For example:

- The registration process does not use captcha like systems and could allow attackers to use an automated script to generate thousands of fictitious users. These users can then be used to perform transactions that could lead to financial loss (e.g. costs due to rejected credit card), or waste resources through database access (and wasted storage).

- The password reminder mechanism requires only the user's email address which is used to send them an email for resetting their password. But since it requires no further auth from the user (such as an answer to a secret question), an attacker could enumerate all the valid email addresses registered to the site by writing a brute force script and using a database of email addresses (this may be particularly useful to a competitor). Of course, if the email address is used as the username, this problem becomes more serious.

Although these risks are real - and I don't doubt they will be used in the future - I'm not aware of any attacks of this sort being conducted in the past. Is anyone aware of these types of attacks in real-world scenarios? Do you think these pose a serious threat?

regards,
Stephen


 ----------------------------------------------------------------------
 CONFIDENTIALITY: This e-mail and any files transmitted with it are
 confidential and intended solely for the use of the recipient(s) only.
 Any review, retransmission, dissemination or other use of, or taking
 any action in reliance upon this information by persons or entities
 other than the intended recipient(s) is prohibited. If you have
 received this e-mail in error please notify the sender immediately
 and destroy the material whether stored on a computer or otherwise.
 ----------------------------------------------------------------------
 DISCLAIMER: Any views or opinions presented within this e-mail are
 solely those of the author and do not necessarily represent those
 of Corsaire Limited, unless otherwise specifically stated.
 ----------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  aspx applictions SQL Injection, Mohamed Ali
Next by Date:  Re: ASP vs. ASP.NET, Harrison Gladden
Previous by Thread:  aspx applictions SQL Injection, Mohamed Ali
Next by Thread:  Re: Likelihood of brute force attacks against web apps, Jeremiah Grossman
Indexes:  [Date] [Thread] [Top] [All Lists]