Re: users browser caching the screen

2006-03-13 Thread gerald_clark 

fbsd_user wrote:


Now I know what I am going to talk about is not directly related to
this mysql list, but I am in need of some concept ideas.

To set the background. It’s a very common practice in the
registration process of a new user to verify the users email address
is valid by sending a email to the entered email address with a link
in it to a screen that updates the users emailed verified flag in
his table record. I have such a process.

Once a week I review my apache activity log and I noticed a lot of
log records for the file that process the link to update the users
email verified flag, (over 1500 from same ip address).

To me this looked like an attack to break into my web application.
Research and testing indicates that the screen is Cached by the
users browser and he is changing the passed link info repeatedly in
effort to break in. This screen is the only one that does not have
session security control because it’s launched from the verify email
I sent him.

Now my registration sign up screen has a Captcha Security Code
Random-Noisy-Image and part of that is a string of headers to the
browser to stop caching. They look like this.

// send several headers to make sure the image is not cached
// taken directly from the PHP Manual

// Date in the past
header(Expires: Mon, 26 Jul 1997 05:00:00 GMT);

// always modified
header(Last-Modified:  . gmdate(D, d M Y H:i:s) .  GMT);

// HTTP/1.1
header(Cache-Control: no-store, no-cache, must-revalidate);
header(Cache-Control: post-check=0, pre-check=0, false);

// HTTP/1.0
header(Pragma: no-cache);

Now my desire is to somehow have the screen that is the target of
the email link to issue these headers before displaying its html
code so the user can not any longer run a script against this screen
trying to break in.

Is this possible and if so how. Is this kind of attack happening to
anyone else?

Thanks for any help you can offer.



 

You have no way of knowing it the user is running a browser at all. He 
could have grabbed the page once, and

run a script that pretends to be a browser.

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

RE: users browser caching the screen

2006-03-13 Thread fbsd_user 
I guess you are saying that trying to have my php script send
the users browser html headers to stop caching is not
really going to solve my problem. I did put a block rule in
my firewall for the attackers ip address and that stopped
the attach from recurring.

But to make sure it don't happen again I am adding a
Captcha Security Code Random-Noisy-Images to the screen.
This uses a randomly generated graphic image to stymie
auto-submission scripts.

-Original Message-
From: gerald_clark [mailto:[EMAIL PROTECTED]
Sent: Monday, March 13, 2006 12:13 PM
To: [EMAIL PROTECTED]
Cc: Mysql
Subject: Re: users browser caching the screen


fbsd_user wrote:

Now I know what I am going to talk about is not directly related to
this mysql list, but I am in need of some concept ideas.

To set the background. It’s a very common practice in the
registration process of a new user to verify the users email
address
is valid by sending a email to the entered email address with a
link
in it to a screen that updates the users emailed verified flag in
his table record. I have such a process.

Once a week I review my apache activity log and I noticed a lot of
log records for the file that process the link to update the users
email verified flag, (over 1500 from same ip address).

To me this looked like an attack to break into my web application.
Research and testing indicates that the screen is Cached by the
users browser and he is changing the passed link info repeatedly in
effort to break in. This screen is the only one that does not have
session security control because it’s launched from the verify
email
I sent him.

Now my registration sign up screen has a Captcha Security Code
Random-Noisy-Image and part of that is a string of headers to the
browser to stop caching. They look like this.

// send several headers to make sure the image is not cached
// taken directly from the PHP Manual

// Date in the past
header(Expires: Mon, 26 Jul 1997 05:00:00 GMT);

// always modified
header(Last-Modified:  . gmdate(D, d M Y H:i:s) .  GMT);

// HTTP/1.1
header(Cache-Control: no-store, no-cache, must-revalidate);
header(Cache-Control: post-check=0, pre-check=0, false);

// HTTP/1.0
header(Pragma: no-cache);

Now my desire is to somehow have the screen that is the target of
the email link to issue these headers before displaying its html
code so the user can not any longer run a script against this
screen
trying to break in.

Is this possible and if so how. Is this kind of attack happening to
anyone else?

Thanks for any help you can offer.





You have no way of knowing it the user is running a browser at all.
He
could have grabbed the page once, and
run a script that pretends to be a browser.

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:
http://lists.mysql.com/[EMAIL PROTECTED]


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]