WebApp Sec mailing list archives
Re: preventing sign up forms from being used for user enumeration
From: Nathan Bijnens <nbijnens () servs eu>
Date: Mon, 02 Jul 2007 23:53:42 +0200
Let people enter an email address. If it isn't used mail them with a unique link to continue the registration process. If it is allready used don't send a mail? Robin Wood wrote:
Hi I'm developing a application which requires users to sign up with both a username and an email address. I only want an email address to sign up once and don't want duplication of usernames. If I just put up a warning stating that an email address is already registered if it is, the form is open to being used for user enumeration. Apart from using things like captchas to try to defeat automated attacks, is there any way to stop this? I know on things like forgotten password forms you can ask for extra info so someone guessing would have to get both bits right but I can't think of a way to do this here. Robin ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack AttacksHackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today!https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe --------------------------------------------------------------------------
-- Nathan Bijnens | Zaakvoerder | nbijnens () servs eu | +32 486 15 88 29 Servs BVBA | http://servs.eu | BTW BE 0888 048 856 | 001-5180517-17
Attachment:
nbijnens.vcf
Description:
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- preventing sign up forms from being used for user enumeration Robin Wood (Jul 02)
- Re: preventing sign up forms from being used for user enumeration bugtraq (Jul 02)
- Re: preventing sign up forms from being used for user enumeration Nathan Bijnens (Jul 02)
- Re: preventing sign up forms from being used for user enumeration Javier Fernández-Sanguino (Aug 15)