<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">* iPhone typo<br><br></span><blockquote type="cite"><font color="#000000"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"><img src=<a href="http://server/login?username=user1&pass=pass1" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="0">http://server/login?username=user1&pass=pass1</a>></span></font></blockquote><br><br><span style="-webkit-text-size-adjust: auto;">Sent from my iPhone</span></div><div style="-webkit-text-size-adjust: auto; "><br>On 29 May 2013, at 15:29, Christian Papathanasiou <<a href="mailto:christian.papathanasiou@owasp.org">christian.papathanasiou@owasp.org</a>> wrote:<br><br></div><blockquote type="cite" style="-webkit-text-size-adjust: auto; "><div><span>Another scenario is: </span><br><span></span><br><span>Distributed client side login/pass bruteforce :-)</span><br><span></span><br><span>Once victims connect to attacker controlled server they are dished out hundreds of CSRF vectors such ass</span><br><span></span><br><span><img src=<a href="http://server/login?username=&user1pass=pass1">http://server/login?username=&user1pass=pass1</a>></span><br><span></span><br><span>Username password pairs</span><br><span></span><br><span>With each subsequent CSRF vector sent  testing for a post authentication function </span><br><span></span><br><span>Once word list subset exhausted page updates with next set to try</span><br><span></span><br><span>In essence achieving distributed non attributable brute force (and potentially knock on effects of application layer DoS)</span><br><span></span><br><span>All theoretically possible I think but have never seen that really done in the wild have any of you? Perhaps something BeEF does in the XSS world?</span><br><span></span><br><span>Christian</span><br><span></span><br><span>On 29 May 2013, at 14:46, Giorgio Fedon <<a href="mailto:giorgio.fedon@owasp.org">giorgio.fedon@owasp.org</a>> wrote:</span><br><span></span><br><blockquote type="cite"><span>Another scenario is when you need to poison DNS cache. In that case you</span><br></blockquote><blockquote type="cite"><span>may need many resolution request from a lot of different ips. And maybe</span><br></blockquote><blockquote type="cite"><span>the function that force the dns resolution is in the authenticated area</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>On 05/29/2013 03:19 PM, gaz Heyes wrote:</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>On 29 May 2013 14:14, Giorgio Fedon <<a href="mailto:giorgio.fedon@owasp.org">giorgio.fedon@owasp.org</a></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span><<a href="mailto:giorgio.fedon@owasp.org">mailto:giorgio.fedon@owasp.org</a>>> wrote:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>   Incrimination is something that may happen by forcing a user doing</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>   something illegal.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>That isn't what I meant. You can assign the IP address of the user to</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>a specific account that has already performed or about to perform</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>illegal activity.</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>-- </span><br></blockquote><blockquote type="cite"><span>| Giorgio Fedon, Owasp Italy</span><br></blockquote><blockquote type="cite"><span>|</span><br></blockquote><blockquote type="cite"><span>| In Input Validation </span><br></blockquote><blockquote type="cite"><span>|            and Output Sanitization, </span><br></blockquote><blockquote type="cite"><span>|                                   We Trust</span><br></blockquote><blockquote type="cite"><span>--</span><br></blockquote><blockquote type="cite"><span>| Web: <a href="https://www.owasp.org/index.php/Italy">https://www.owasp.org/index.php/Italy</a></span><br></blockquote><blockquote type="cite"><span>|_____________________________________________.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>_______________________________________________</span><br></blockquote><blockquote type="cite"><span>OWASP-Leaders mailing list</span><br></blockquote><blockquote type="cite"><span><a href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a></span><br></blockquote><blockquote type="cite"><span><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br></blockquote></div></blockquote></body></html>