WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: enumerating users and an AJAX example

From: Pilon Mntry <pilonmntry () yahoo com>
Date: Thu, 6 Apr 2006 23:43:53 -0700 (PDT)

 My actual point wasn't trying to enumerate the users
(it was grabbing their credentials), however, these
are all good points. 
 A very interesting thing is that after I've read
Ryan's e-mail about the ways to enumerate users, I
came accross a link in java.sun.com with the title
"Realtime Form Validation Using AJAX". I am not sure
whether I am exaggerating or not, however, it seems
the example given is a vulnerable application which
provides another way to enumerate valid user ids in
real time. :))

The link is:
http://java.sun.com/developer/technicalArticles/J2EE/AJAX/RealtimeValidation/

-pilon

--- Hemil <hemil () net-square com> wrote:


I think implementing CAPTCHA can be very handy in
stopping all of these 
bots and automated tools to do BF. No matter
whatever error message web 
application gives, whatever response code it
returns, CAPTCHA will stop 
automated scripts and tools.

---Hemil
[Net-square]
Rogan Dawes wrote:

Ryan Barnett wrote:

Correct.  The returned HTTP status codes is but

one of many methods of

enumerating valid account credentials.  The most

common mistake is

differences in the error message details provided

to the user upon

successful/failed login attempts.  Web apps

should not inform the user

whether or not the problem was with the username

or password, but

rather that they failed to authenticate.  The 2nd

most obvious sign is

passing parameters in URL or cookie variables

(such as

STATUS=Authenticated).

This being said, there are still problems with

using 302 redirects and

that it is still possible to enumerate

successful/unsuccessful

authentication attempts based on the Location

header data returned

with the 302 status code.  If the authentication

fails, it will send a

302 and the location most likely will be back to

the login page.  A

successful attempt, however will send a 302 but

the new Location will

be something other than the login page.  This is

enough data for a

scanner/script to automate and trigger on.



You mean, other than the fact that there is no

longer a login form on 

the resulting page?

Mmmm.

Rogan






-------------------------------------------------------------------------

Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and

leading web 

application security testing suite, and the only

solution to provide 

comprehensive remediation tasks at every level of

the application. 

Change the way you think about application

security testing - See for 

yourself. Download a Free Trial of AppScan 6.0

today!






https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF





--------------------------------------------------------------------------











__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: