WebApp Sec mailing list archives
Re: Script Based Attacks & Form Hacks
From: Christopher J Varenhorst <varenc () MIT EDU>
Date: Thu, 21 Jul 2005 22:15:03 -0500
To protect myself, First, don't use javascript or anything client side for anything other than an aid to the user. If fields have a maximum length, have the application "recheck". If certain fields are required, don't rely on the client side scripting to ensure that they've been filled out, recheck again. Don't ever pass sensitive information through hidden form elements, use session keys and store the information server side, just imagine the hidden form elements as a visible textbox. In short, don't expect the user will ever be limited by anything client side. That is one of the most common mistakes web app coders can make. Luckily, these types of flaws rarely result in much damage (although there are dangerous exceptions) As far as automated attacks go, HTTP is too slow for bruteforce password attacks to be effective. Automated form posting will fill server databases with garbage, but I think its unlikely to bring the server to a standstill. (maybe I'm wrong?) A straight out DOS attack would be more effective at that. Some http servers will even automatically block automated attacks like this. Hope this helps, Chris Quoting Chad Maniccia <wopazar () gmail com>:
Hi List, One thing I have not heard any one discuss is the use of automated scripts and form hacking. I could easily write a Java program to attack any ASP,JSP,PHP etc.. simply by viewing the page source to find the parameters the form processor will be looking for. You could use this to fill up some ones database with garbage bring the server to a standstill or worse yet bypass all the fancy javascript you had on the calling page. Some web applications actually use javascript to calcualte currency transactions. What ideas do you guys have to protect yourself from these? Thanks, Chad
Current thread:
- Script Based Attacks & Form Hacks Chad Maniccia (Jul 21)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 22)
- RE: Script Based Attacks & Form Hacks Serghei S. (Jul 22)
- RE: Script Based Attacks & Form Hacks Paul Laudanski (Jul 24)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks leighm (Jul 21)
- Re: Script Based Attacks & Form Hacks Christopher J Varenhorst (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Paul Kurczaba (Jul 21)
- Re: Script Based Attacks & Form Hacks Sean Utt (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Andrew van der Stock (Jul 22)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 23)
- Re: Script Based Attacks & Form Hacks Christian Martorella (Jul 23)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)