WebApp Sec mailing list archives
Re: enumerating users and an AJAX example
From: Pilon Mntry <pilonmntry () yahoo com>
Date: Thu, 6 Apr 2006 23:43:53 -0700 (PDT)
My actual point wasn't trying to enumerate the users (it was grabbing their credentials), however, these are all good points. A very interesting thing is that after I've read Ryan's e-mail about the ways to enumerate users, I came accross a link in java.sun.com with the title "Realtime Form Validation Using AJAX". I am not sure whether I am exaggerating or not, however, it seems the example given is a vulnerable application which provides another way to enumerate valid user ids in real time. :)) The link is: http://java.sun.com/developer/technicalArticles/J2EE/AJAX/RealtimeValidation/ -pilon --- Hemil <hemil () net-square com> wrote:
I think implementing CAPTCHA can be very handy in stopping all of these bots and automated tools to do BF. No matter whatever error message web application gives, whatever response code it returns, CAPTCHA will stop automated scripts and tools. ---Hemil [Net-square] Rogan Dawes wrote:Ryan Barnett wrote:Correct. The returned HTTP status codes is butone of many methods ofenumerating valid account credentials. The mostcommon mistake isdifferences in the error message details providedto the user uponsuccessful/failed login attempts. Web appsshould not inform the userwhether or not the problem was with the usernameor password, butrather that they failed to authenticate. The 2ndmost obvious sign ispassing parameters in URL or cookie variables(such asSTATUS=Authenticated). This being said, there are still problems withusing 302 redirects andthat it is still possible to enumeratesuccessful/unsuccessfulauthentication attempts based on the Locationheader data returnedwith the 302 status code. If the authenticationfails, it will send a302 and the location most likely will be back tothe login page. Asuccessful attempt, however will send a 302 butthe new Location willbe something other than the login page. This isenough data for ascanner/script to automate and trigger on.You mean, other than the fact that there is nolonger a login form onthe resulting page? Mmmm. Rogan
-------------------------------------------------------------------------
Sponsored by: Watchfire Watchfire's AppScan is the industry's first andleading webapplication security testing suite, and the onlysolution to providecomprehensive remediation tasks at every level ofthe application.Change the way you think about applicationsecurity testing - See foryourself. Download a Free Trial of AppScan 6.0today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- 302 Redirection (Not just for successful login attempts) Pilon Mntry (Apr 05)
- Re: 302 Redirection (Not just for successful login attempts) Ryan Barnett (Apr 05)
- Re: 302 Redirection (Not just for successful login attempts) Rogan Dawes (Apr 05)
- Re: 302 Redirection (Not just for successful login attempts) Hemil (Apr 06)
- Re: enumerating users and an AJAX example Pilon Mntry (Apr 07)
- Re: 302 Redirection (Not just for successful login attempts) Dave Ferguson (Apr 07)
- Re: 302 Redirection (Not just for successful login attempts) Rogan Dawes (Apr 05)
- Re: 302 Redirection (Not just for successful login attempts) Ryan Barnett (Apr 05)