WebApp Sec mailing list archives
RE: Script Based Attacks & Form Hacks
From: "Serghei S." <serghei () digitalhaiku com>
Date: Fri, 22 Jul 2005 17:53:53 +0300
2) This type are a little harder to foil. However not impossible. For external facing applications, I always send an email for validation/verification. Till the user authenticates his/her address, I keep the form data in a temporary table. The enteries in the temp table have a life time of 1 hour, after that they get deleted. Also make the email address / IP address the primary key in your temp table. This will prevent one single machine from filling up the temp table. It would have to be DDOS attack to fill up the TEMP table. But then again, I set a max limit on the number of entries in the temp table.
You cannot limit by IP ... there are a lot of cases when hundreds of users are under one single IP ... like AOL members ... - Serghei
Current thread:
- Script Based Attacks & Form Hacks Chad Maniccia (Jul 21)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 22)
- RE: Script Based Attacks & Form Hacks Serghei S. (Jul 22)
- RE: Script Based Attacks & Form Hacks Paul Laudanski (Jul 24)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks leighm (Jul 21)
- Re: Script Based Attacks & Form Hacks Christopher J Varenhorst (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Paul Kurczaba (Jul 21)
- Re: Script Based Attacks & Form Hacks Sean Utt (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Andrew van der Stock (Jul 22)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)