Re: Script Based Attacks & Form Hacks

Hi Stephen,


Stephen de Vries escribió:

> Hi Vicente,
>
> On 22 Jul 2005, at 07:46, Vicente Aguilera wrote:
>
> > To prevent automatic form submissions in login forms you can also use:
> >
> > 1. One-time-logins/One-time-passwords
> > For example, if the user password is: "a34.;(vad78!$" the  
> > application can ask for the password: "Put the character  
> > 1,5,2,6,8,9,10,4 of your password", and these positions could  change 
> > randomly.
>
>
> Perhaps I don't understand this solution, but it looks as though this  
> could be automated by a script.  It would be fairly trivial to write  
> a script that parses the sentence "Put the character 1,5,2,6,8,9,10,4  
> of your password" and submits the correct characters from the  
> password to the login form...(?)
Yes, but this is not the aim.
Automatic form submissions in login forms basically try to break 
passwords or enumerate valid users (logins).
If someone tries to guess a password with password cracking attacks has 
not any more information in every attempt, because every time the 
password is different. Password cracking attacks are not effective with 
this method.


> > 2. Account lock
> > For example after 5 unsuccessful attempts.
>
>
> There is always the danger that an attacker could use this to lockout  
> all accounts on the system - which is also an effective DoS.
Yes! An automatic reactivation of the account is necessary after a 
prudential time.


Regards,
Vicente Aguilera Díaz
OPST, OPSA, ITIL
vaguilera@isecauditors.com