The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws



Download 5,76 Mb.
Pdf ko'rish
bet299/875
Sana01.01.2022
Hajmi5,76 Mb.
#293004
1   ...   295   296   297   298   299   300   301   302   ...   875
Bog'liq
3794 1008 4334

166

Chapter 6 



Attacking Authentication

70779c06.qxd:WileyRed  9/14/07  3:13 PM  Page 166


be taken that this does not lead to any information leakage. For exam-

ple, if an application discloses that a specific account has been sus-

pended for X minutes due to Y failed logins, then this behavior can

easily be used to enumerate valid usernames. In addition, disclosing

the precise metrics of the lockout policy enables an attacker to optimize

any attempt to continue guessing passwords in spite of the policy. To

avoid enumeration of usernames, the application should respond to any

series of failed login attempts from the same browser with a generic

message advising that accounts are suspended if multiple failures occur

and that the user should try again later. This can be achieved using a

cookie or hidden field to track repeated failures originating from the

same browser. (Of course, this mechanism should not be used to

enforce any actual security control — only to provide a helpful message

to ordinary users who are struggling to remember their credentials.)

■■

If the application supports self-registration, then it can prevent this func-



tion from being used to enumerate existing usernames in two ways:

■■

Instead of permitting self-selection of usernames, the application can



create a unique (and unpredictable) username for each new user,

thereby obviating the need to disclose that a username selected

already exists.

■■

The application can use email addresses as usernames. Here, the



first stage of the registration process requires the user to enter their

email address, whereupon they are told simply to wait for an email

and follow the instructions contained within it. If the email address

is already registered, the user can be informed of this in the email. If

the address is not already registered, the user can be provided with

a unique, unguessable URL to visit to continue the registration

process. This prevents the attacker from enumerating valid user-

names (unless they happen to have already compromised a large

number of email accounts).


Download 5,76 Mb.

Do'stlaringiz bilan baham:
1   ...   295   296   297   298   299   300   301   302   ...   875



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish