Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: preventing sign up forms from being used for user enumeration

from [bugtraq] Network Security [Permanent Link]
Subject: Re: preventing sign up forms from being used for user enumeration
Date: Mon, 2 Jul 2007 17:47:32 -0400 (EDT) 
Hello,

Typically the way people deal with this is respond with 1 generic error message
for bad user/pass's and then stick up a captcha after X failures. Gmail does
a good job at demonstrating this.

Regards,
- Robert 
http://www.webappsec.org/ The Web Application Security Consortium
http://www.cgisecurity.com/ Web application security news and more


Hi
I'm developing a application which requires users to sign up with both
a username and an email address. I only want an email address to sign
up once and don't want duplication of usernames.

If I just put up a warning stating that an email address is already
registered if it is, the form is open to being used for user
enumeration. Apart from using things like captchas to try to defeat
automated attacks, is there any way to stop this?

I know on things like forgotten password forms you can ask for extra
info so someone guessing would have to get both bits right but I can't
think of a way to do this here.

Robin

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------




-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: preventing sign up forms from being used for user enumeration, Nathan Bijnens
Next by Date:  [Sec-1 Ltd] Buffer Truncation Abuse in Microsoft SQL Server Based Applications, Gary Oleary-Steele
Previous by Thread:  Re: preventing sign up forms from being used for user enumeration, Nathan Bijnens
Next by Thread:  [Sec-1 Ltd] Buffer Truncation Abuse in Microsoft SQL Server Based Applications, Gary Oleary-Steele
Indexes:  [Date] [Thread] [Top] [All Lists]