on every username. This approach has two benefits: first, you will dis-

Verbose Failure Messages

A typical login form requires the user to enter two pieces of information (user-

name and password), and some applications require several more (for exam-

ple, date of birth, a memorable place, or a PIN number). 

When a login attempt fails, you can of course infer that at least one piece of

information was incorrect. However, if the application informs you as to

which piece of information was invalid, you can exploit this behavior to con-

siderably diminish the effectiveness of the login mechanism.

In the simplest case, where a login requires a username and password, an

application might respond to a failed login attempt by indicating whether the

reason for the failure was an unrecognized username or the wrong password,

as illustrated in Figure 6-3.

Figure 6-3: Verbose login failure messages indicating when a valid username has been

guessed

In this instance, you can use an automated attack to iterate through a large

list of common usernames to enumerate which of these are valid. Of course,

usernames are not normally considered a secret (they are not masked during

login, for instance). However, providing an easy means for an attacker to iden-

tify valid usernames increases the likelihood that they will compromise the

application with a given level of time, skill, and effort. A list of enumerated

usernames can be used as the basis for various subsequent attacks, including

password guessing, attacks on user data or sessions, or social engineering.

N OT E

Download 5,76 Mb.

Do'stlaringiz bilan baham: