Michael,
This has always been a problem with the web. Not only do you not have
physical security of the device, you can not even be sure that it is the
device you are thinking it may be.
So the only way to protect this is to track the number of login attempts that
go against any invalid User Name, and if above a certain threshold, to notify
security. I also do the same if a particular user attempts to log in more
then 3 times in a row with a good User Name and bad password. This also lets
me know when Users may be having difficulty as well as potential hacking
attempts.
Andy
-----Original Message-----
From: Michael Dinowitz [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 02, 2003 4:52 PM
To: CF-Talk
Subject: security flaw in web services
It looks to me like there's a problem with web services, specifically the
ones
that allow logins. Basically, a username/password is sent to the service and
it
responds with data if the person is a valid user. What stops someone from
using
the web service again and again to test a un/pw until they get the right
one?
Maybe the answer is obvious and I don't see it.
checking amount of attempts per IP - ip can be forged
checking amount of attempts per UN - scheduled attempt or multiple UN tries
hidden communications key in stream - can be 'seen' (combined with SSL might
work)
--
Michael Dinowitz
Finding technical solutions to the problems you didn't know you had yet
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
- security flaw in web services Michael Dinowitz
- Re: security flaw in web services Jim Campbell
- RE: security flaw in web services Angel Stewart
- RE: security flaw in web services Nathan Strutz
- Re: security flaw in web services Jochem van Dieten
- Re: security flaw in web services Jochem van Dieten
- Re: security flaw in web services Michael Dinowitz
- Re: security flaw in web services Thomas Chiverton
- Errors in table Design view of Dreamweaver MX 2004. Andy Ousterhout
- Errors in table Design view of Dreamweaver MX 2... Angel Stewart
- RE: Errors in table Design view of Dreamwea... Barney Boisvert
- Re: Errors in table Design view of Dreamwea... Les Mizzell
- Re: Errors in table Design view of Dreamwea... Les Mizzell
- Can't CFRETURN inside include! Jim Davis
- RE: Can't CFRETURN inside include! Hal Helms
- Nesting CFTRANSACTION? Jim Davis
- RE: Nesting CFTRANSACTION? Kola Oyedeji