|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Whitehat (whitehaat
gmail.com)
Date: Fri Oct 24 2008 - 14:27:26 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dear List,
I'm doing a Web application PT against a website running on HTTPS - in
which I found that the password recovery mechanism is weak because if
you enter a correct Registration ID then it'll send a new password to
the corresponding email.
Now my Idea is to perform a brute force attack against the input field
which could lead to a potential "Denial of Service" since I know the
length of Registration ID.
I'm trying "Crowbar" as usual, but......It it is not able to get the
base response.
I could able to do this successfully for many other sites.
Is it because of:
1.HTTPs- Can't we brute force HTTPs implemented sites ?????
2.Implementing ViewState in aspx.
3.Or something else that causing error???
Please suggest me different techniques Or any other TOOL to do that.
Cheers,
Whitehat.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now
www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]