Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: RE: Concurrent Sessions and User Feedback

RE: Concurrent Sessions and User Feedback

From: Rob Shein <shoten_at_starpower.net>
Date: Sun, 6 Apr 2003 17:55:03 -0400

I would say that it would be best only to offer either message if the
login/password combination were correct. While it does to some extent
assist someone who is brute-forcing an account, it would only work if they
already got the correct account...and from what I'm gathering, the system
locks out accounts that suffer too many failed attempts.

-----Original Message-----
From: Susan Olson [mailto:olson.susan_at_excite.com]
Sent: Saturday, April 05, 2003 2:33 PM
To: pen-test_at_securityfocus.com
Subject: Concurrent Sessions and User Feedback

I'm looking for words of wisdom/advice/ideas on how to handle this from a
security/"best practices" perspective.

Basically, I am evaluating a web application that disallows concurrent
sessions; it only allows for one unique logon session to occur at the same
time using just one username/password combination.

My question.what is the best way to handle "feedback" for users attempting
to access an account that is already logged-on? Currently, users get a
message stating that the account that they are attempting to use is already
logged-on. I am not comfortable with this because it lends to the possible
harvesting of valid UserIDs & Passwords by an "evil doer." Also, I have a
similar issue with the "feedback" given to users when an account is locked
out."Your account is currently locked out, please contact an administrator"
in that I only get this message when I have entered a valid User ID &
Password for an account that is locked out - seems to facilitate harvesting
as well.

If anyone could provide me with some ideas/strategies, etc. on how to
implement this securely I would greatly appreciate it!

- Sue

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much junk never even
makes it in the door. Free 30-day trial:
http://www.securityfocus.com/SurfControl-pen-test

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.securityfocus.com/SurfControl-pen-test
Received on Apr 07 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos