|
WebApp Sec
mailing list archives
Re: enumerating users and an AJAX example
From: Pilon Mntry <pilonmntry () yahoo com>
Date: Thu, 6 Apr 2006 23:43:53 -0700 (PDT)
My actual point wasn't trying to enumerate the users
(it was grabbing their credentials), however, these
are all good points.
A very interesting thing is that after I've read
Ryan's e-mail about the ways to enumerate users, I
came accross a link in java.sun.com with the title
"Realtime Form Validation Using AJAX". I am not sure
whether I am exaggerating or not, however, it seems
the example given is a vulnerable application which
provides another way to enumerate valid user ids in
real time. :))
The link is:
http://java.sun.com/developer/technicalArticles/J2EE/AJAX/RealtimeValidation/
-pilon
--- Hemil <hemil () net-square com> wrote:
I think implementing CAPTCHA can be very handy in
stopping all of these
bots and automated tools to do BF. No matter
whatever error message web
application gives, whatever response code it
returns, CAPTCHA will stop
automated scripts and tools.
---Hemil
[Net-square]
Rogan Dawes wrote:
Ryan Barnett wrote:
Correct. The returned HTTP status codes is but
one of many methods of
enumerating valid account credentials. The most
common mistake is
differences in the error message details provided
to the user upon
successful/failed login attempts. Web apps
should not inform the user
whether or not the problem was with the username
or password, but
rather that they failed to authenticate. The 2nd
most obvious sign is
passing parameters in URL or cookie variables
(such as
STATUS=Authenticated).
This being said, there are still problems with
using 302 redirects and
that it is still possible to enumerate
successful/unsuccessful
authentication attempts based on the Location
header data returned
with the 302 status code. If the authentication
fails, it will send a
302 and the location most likely will be back to
the login page. A
successful attempt, however will send a 302 but
the new Location will
be something other than the login page. This is
enough data for a
scanner/script to automate and trigger on.
You mean, other than the fact that there is no
longer a login form on
the resulting page?
Mmmm.
Rogan
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and
leading web
application security testing suite, and the only
solution to provide
comprehensive remediation tasks at every level of
the application.
Change the way you think about application
security testing - See for
yourself. Download a Free Trial of AppScan 6.0
today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
| 
Intro
