The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws


some lengths. When a login attempt is initiated with an invalid username, the



Download 5,76 Mb.
Pdf ko'rish
bet298/875
Sana01.01.2022
Hajmi5,76 Mb.
#293004
1   ...   294   295   296   297   298   299   300   301   ...   875
Bog'liq
3794 1008 4334

some lengths. When a login attempt is initiated with an invalid username, the

application must record somewhere the random question that it presented for

that invalid username and ensure that subsequent login attempts using the

same username are met with the same question. Going even further, the

application could switch to a different question periodically, to simulate the

nonexistent user having logged in as normal, resulting in a change in their next

question! At some point, however, the application designer must draw a line

and concede that a total victory against an attacker as determined as this is

probably not achievable. 

Prevent Information Leakage

■■

The various authentication mechanisms used by the application should



not disclose any information about authentication parameters, either

through overt messages or through inference from other aspects of the

application’s behavior. An attacker should have no means of determin-

ing which piece of the various items submitted has caused a problem.

■■

A single code component should be responsible for responding to all



failed login attempts, with a generic message. This avoids a subtle vul-

nerability that can occur when a supposedly uninformative message

returned from different code paths can actually be discriminated by an

attacker, due to typographical differences in the message, different

HTTP status codes, other information hidden in HTML, and the like.

■■

If the application enforces some kind of account lockout to prevent



brute-force attacks (as discussed in the next section), then care should


Download 5,76 Mb.

Do'stlaringiz bilan baham:
1   ...   294   295   296   297   298   299   300   301   ...   875



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish