WebApp Sec mailing list archives
RE: Script Based Attacks & Form Hacks
From: Paul Laudanski <zx () castlecops com>
Date: Sun, 24 Jul 2005 17:40:59 -0400 (EDT)
On Fri, 22 Jul 2005, Serghei S. wrote:
2) This type are a little harder to foil. However not impossible. For external facing applications, I always send an email for validation/verification. Till the user authenticates his/her address, I keep the form data in a temporary table. The enteries in the temp table have a life time of 1 hour, after that they get deleted. Also make the email address / IP address the primary key in your temp table. This will prevent one single machine from filling up the temp table. It would have to be DDOS attack to fill up the TEMP table. But then again, I set a max limit on the number of entries in the temp table.You cannot limit by IP ... there are a lot of cases when hundreds of users are under one single IP ... like AOL members ...
Insofar as a unique ID is concerned, that statement is spot on. However, it doesn't have to be used in and of itself necessarily, the IP address can be used as part of a multi-factorial "combination" key. -- Paul Laudanski, Microsoft MVP Windows-Security CastleCops(SM), http://castlecops.com ________ Information from Computer Cops, L.L.C. ________ This message was checked by NOD32 Antivirus System for Linux Mail Server. part000.txt - is OK http://castlecops.com
Current thread:
- Script Based Attacks & Form Hacks Chad Maniccia (Jul 21)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 22)
- RE: Script Based Attacks & Form Hacks Serghei S. (Jul 22)
- RE: Script Based Attacks & Form Hacks Paul Laudanski (Jul 24)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks leighm (Jul 21)
- Re: Script Based Attacks & Form Hacks Christopher J Varenhorst (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Paul Kurczaba (Jul 21)
- Re: Script Based Attacks & Form Hacks Sean Utt (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Andrew van der Stock (Jul 22)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 23)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)