Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Script Based Attacks & Form Hacks

from [Christian Martorella] Network Security [Permanent Link]
Subject: Re: Script Based Attacks & Form Hacks
Date: Sat, 23 Jul 2005 13:52:09 +0200 
Stephen de Vries wrote:



On 22 Jul 2005, at 14:16, Vicente Aguilera wrote:


To prevent automatic form submissions in login forms you can also use:

1. One-time-logins/One-time-passwords
For example, if the user password is: "a34.;(vad78!$" the application can ask for the password: "Put the character 1,5,2,6,8,9,10,4 of your password", and these positions could change randomly.



Automatic form submissions in login forms basically try to break passwords or enumerate valid users (logins).
If someone tries to guess a password with password cracking attacks has not any more information in every attempt, because every time the password is different. Password cracking attacks are not effective with this method.


That's only true if the attacker can't duplicate the system for generating the one time password. What I'm saying is that with the example given above, it will be trivial for an attacker to do this.

For example, on the server side, the app would:
1. Pick 5 random numbers between 1 and 8 (assuming that all passwords have at least 8 chars), e.g. 1,5,2,6,8
2. Present the login form and request that the user enter their username and the characters at positions 1,5,2,6,8 from their passwords.
3. Process the details supplied, if incorrect goto 1.

To launch a brute force attack on this system, an attacker would:
1. Get a dictionary of passwords.
2. Write an automated script that grabs the login page from the target site and parses the HTML to extract the character positions requested.
3. Run the script against the app and extract the character positions requested. In this case 1,5,2,6,8.
4. Read the current word from the dictionary.
5. Extract characters 1,5,2,6,8
6. Submit the login request with the username and the extracted characters.
7. If the login fails, move to the next word in the dictionary and goto step 3


regards,
Stephen


Hi Stephen, to solve that problem i think that the character position requested could be in an image, so the bruteforce script won't read it.
The attacker will have to use some kind of OCR in the bruteforce attack to interpret the requested characters in the image.


Cheers!

Christian Martorella



___________________________________________________________ 1GB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: Securing PDF file on a Website, andres . desa
Next by Date:  RE: [1/2OT] Training for web-apps and db security, Richard Lindberg
Previous by Thread:  Re: Script Based Attacks & Form Hacks, Stephen de Vries
Next by Thread:  Re: Script Based Attacks & Form Hacks, amit kukreti
Indexes:  [Date] [Thread] [Top] [All Lists]