christian.papathanasiou at owasp.org
Wed May 29 14:52:31 UTC 2013
Sent from my iPhone
On 29 May 2013, at 15:39, gaz Heyes <gazheyes at gmail.com> wrote:
> Account DOS would work too since you could send a valid username with an incorrect password from lots of IP addresses which might cause an account lockout.
> On 29 May 2013 15:29, Christian Papathanasiou <christian.papathanasiou at owasp.org> wrote:
>> Another scenario is:
>> Distributed client side login/pass bruteforce :-)
>> Once victims connect to attacker controlled server they are dished out hundreds of CSRF vectors such ass
>> <img src=http://server/login?username=&user1pass=pass1>
>> Username password pairs
>> With each subsequent CSRF vector sent testing for a post authentication function
>> Once word list subset exhausted page updates with next set to try
>> In essence achieving distributed non attributable brute force (and potentially knock on effects of application layer DoS)
>> All theoretically possible I think but have never seen that really done in the wild have any of you? Perhaps something BeEF does in the XSS world?
>> On 29 May 2013, at 14:46, Giorgio Fedon <giorgio.fedon at owasp.org> wrote:
>> > Another scenario is when you need to poison DNS cache. In that case you
>> > may need many resolution request from a lot of different ips. And maybe
>> > the function that force the dns resolution is in the authenticated area
>> > On 05/29/2013 03:19 PM, gaz Heyes wrote:
>> >> On 29 May 2013 14:14, Giorgio Fedon <giorgio.fedon at owasp.org
>> >> <mailto:giorgio.fedon at owasp.org>> wrote:
>> >> Incrimination is something that may happen by forcing a user doing
>> >> something illegal.
>> >> That isn't what I meant. You can assign the IP address of the user to
>> >> a specific account that has already performed or about to perform
>> >> illegal activity.
>> > --
>> > | Giorgio Fedon, Owasp Italy
>> > |
>> > | In Input Validation
>> > | and Output Sanitization,
>> > | We Trust
>> > --
>> > | Web: https://www.owasp.org/index.php/Italy
>> > |_____________________________________________.
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders