From: Pilon Mntry (pilonmntryyahoo.com)
Date: Fri Apr 07 2006 - 01:43:53 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 My actual point wasn't trying to enumerate the users
(it was grabbing their credentials), however, these
are all good points.
 A very interesting thing is that after I've read
Ryan's e-mail about the ways to enumerate users, I
came accross a link in java.sun.com with the title
"Realtime Form Validation Using AJAX". I am not sure
whether I am exaggerating or not, however, it seems
the example given is a vulnerable application which
provides another way to enumerate valid user ids in
real time. :))

The link is:
http://java.sun.com/developer/technicalArticles/J2EE/AJAX/RealtimeValidation/

-pilon

--- Hemil <hemilnet-square.com> wrote:

> I think implementing CAPTCHA can be very handy in
> stopping all of these
> bots and automated tools to do BF. No matter
> whatever error message web
> application gives, whatever response code it
> returns, CAPTCHA will stop
> automated scripts and tools.
>
> ---Hemil
> [Net-square]
> Rogan Dawes wrote:
> > Ryan Barnett wrote:
> >> Correct. The returned HTTP status codes is but
> one of many methods of
> >> enumerating valid account credentials. The most
> common mistake is
> >> differences in the error message details provided
> to the user upon
> >> successful/failed login attempts. Web apps
> should not inform the user
> >> whether or not the problem was with the username
> or password, but
> >> rather that they failed to authenticate. The 2nd
> most obvious sign is
> >> passing parameters in URL or cookie variables
> (such as
> >> STATUS=Authenticated).
> >>
> >> This being said, there are still problems with
> using 302 redirects and
> >> that it is still possible to enumerate
> successful/unsuccessful
> >> authentication attempts based on the Location
> header data returned
> >> with the 302 status code. If the authentication
> fails, it will send a
> >> 302 and the location most likely will be back to
> the login page. A
> >> successful attempt, however will send a 302 but
> the new Location will
> >> be something other than the login page. This is
> enough data for a
> >> scanner/script to automate and trigger on.
> >>
> >
> > You mean, other than the fact that there is no
> longer a login form on
> > the resulting page?
> >
> > Mmmm.
> >
> > Rogan
> >
> >
> >
>
-------------------------------------------------------------------------
> > Sponsored by: Watchfire
> >
> > Watchfire's AppScan is the industry's first and
> leading web
> > application security testing suite, and the only
> solution to provide
> > comprehensive remediation tasks at every level of
> the application.
> > Change the way you think about application
> security testing - See for
> > yourself. Download a Free Trial of AppScan 6.0
> today!
> >
> >
>
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
> >
>
--------------------------------------------------------------------------
>
> >
> >
>
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]