WebApp Sec mailing list archives

RE: Script Based Attacks & Form Hacks

From: "Serghei S." <serghei () digitalhaiku com>
Date: Fri, 22 Jul 2005 17:53:53 +0300

2) This type are a little harder to foil. However not impossible. For
external facing applications, I always send an email for
validation/verification. Till the user authenticates his/her address,
I keep the form data in a temporary table. The enteries in the temp
table have a life time of 1 hour, after that they get deleted. Also
make the email address / IP address the primary key in your temp
table. This will prevent one single machine from filling up the temp
table. It would have to be DDOS attack to fill up the TEMP table. But
then again, I set a max limit on the number of entries in the temp
table.


You cannot limit by IP ... there are a lot of cases when hundreds of users
are under one single IP ... like AOL members ...

- Serghei

Current thread:

Script Based Attacks & Form Hacks Chad Maniccia (Jul 21)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)
  - Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
    - Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 22)
  - RE: Script Based Attacks & Form Hacks Serghei S. (Jul 22)
    - RE: Script Based Attacks & Form Hacks Paul Laudanski (Jul 24)
- Re: Script Based Attacks & Form Hacks leighm (Jul 21)
- Re: Script Based Attacks & Form Hacks Christopher J Varenhorst (Jul 21)
  - Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Paul Kurczaba (Jul 21)
  - Re: Script Based Attacks & Form Hacks Sean Utt (Jul 22)
  - Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
    - Re: Script Based Attacks & Form Hacks Andrew van der Stock (Jul 22)
    - Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
    - Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)

(Thread continues...)