Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: User ID generation

RE: User ID generation

From: Andrew van der Stock <vanderaj_at_greebo.net>
Date: Thu, 14 Apr 2005 09:10:30 +1000

Let the users select their usernames.

Don't force them to use your scheme. That will introduce a great deal of
randomness and make it next to impossible to brute force via an algorithm
other than starting from "AAAAA" and working through.

Don't let help desk staff trust the usernames, for surely the users will
select "admin" or "root" given half a chance.

This is documented in the latest version of the OWASP Guide 2.0a7, which you
can get from here:

http://www.greebo.net/owasp/

Look in the authentication section.

As authentication often goes to SQL, LDAP or might be transmitted via XML
web services, do not allow HTML, SQL, LDAP or XML special characters in the
usernames:

* & | < > @ % ( ) = .

With the possible exception of ' which should be escaped correctly. The best
bet is not to restrict by blacklisting, but validate by whitelisting. Ie,
accept only:

[A-z,0-9,_, ]

The regex should be tested, not replacing with "safe" blanks - if they get
it wrong, they try, try again until they get it right before their input
touches your interpreters.

Canocalize the input to ensure that there is no UTF or URL double (or
n-deep) encodes.

I also like to restrict usernames to 20 characters, enforced server side.
It's possible to do SQL or LDAP injection in 20 characters, but what is
possible is dramatically limited compared to longer strings.

thanks,
Andrew

> -----Original Message-----
> From: Jason binger [mailto:cisspstudy_at_yahoo.com]
> Sent: Tuesday, 12 April 2005 6:26 PM
> To: webappsec_at_securityfocus.com
> Subject: User ID generation
>
> I have a customer that generates UserIDs as numbers
> sequentially for a critical application. They
> implement account lockout and I am concerned that
> someone could launch a DOS and lockout all the user
> accounts.
>
> What would people recommend for a user ID generation
> method.
>
> I was thinking UserIDs should be randomly generated
> from a large alpha-numeric keyspace, but how big
> should the keyspace be?
> What would the size of the keyspace need to be if it
> was only numeric?
>
> Any other thoughts appreciated.
>
> Cheers,
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/
Received on Apr 13 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]