Hi Markus, I think the session ID is pretty strong so any attack will require a random session ID. I’d rate the chances of success as low. To be extra sure, capture the originating IP, user agent, etc from the request that starts a session. If those ever change, kill the session as a preventative measure.
And as someone else suggested, you can use Apache to block this IP or user agent from getting near your app. Chuck On 2014-03-24, 3:08 AM, "Markus Stoll, junidas GmbH" wrote: Hi, for quite some time someone is fireing on one of my customers WebObjects applications, that very much looks like a bot net. The firing occurs always on the same instance and the same WO action for each request, its trying another session id. So this looks like someone is doing a brute force attack to guess a valid session id. So I am wondering: is there a known weakness in the randomness of generated session ids, that is making this (guessing a valid session id) possible at all? Regards, Markus PS: the attacker is using this user agent: "Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/)“ they are obviously not respecting the robots.txt and the observed behaviour does not match the expected behaviour for a crawler/bot
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com