Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

preventing sign up forms from being used for user enumeration

from [Robin Wood] Network Security [Permanent Link]
Subject: preventing sign up forms from being used for user enumeration
Date: Fri, 29 Jun 2007 23:12:27 +0100 
Hi
I'm developing a application which requires users to sign up with both
a username and an email address. I only want an email address to sign
up once and don't want duplication of usernames.

If I just put up a warning stating that an email address is already
registered if it is, the form is open to being used for user
enumeration. Apart from using things like captchas to try to defeat
automated attacks, is there any way to stop this?

I know on things like forgotten password forms you can ask for extra
info so someone guessing would have to get both bits right but I can't
think of a way to do this here.

Robin

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  Re: preventing sign up forms from being used for user enumeration, Nathan Bijnens
Next by Thread:  Re: preventing sign up forms from being used for user enumeration, Nathan Bijnens
Indexes:  [Date] [Thread] [Top] [All Lists]