[OWASP-TESTING] Re: [Pen Testing Checklist Feedback]

Daniel Daniel at deeper.co.za
Fri Jul 30 02:26:19 EDT 2004

Hi Simon,

I have never liked, or will, the idea of a IDS thinking about performing
any defence mechanism on the network without some human checking to see if
its ok.
A while ago when i was pentesting a load of networks, i managed to
discover that Realsecure was running with the infamous "if you see bad
traffic, add a firewall rule" option. The end result was me adding a load
of rules which cut this whole segment off from the web and ended up
closing down their online trading app for an hour.

I believe that accounts should be locked out after X amount of failed
logins. Without this feature enabled, the app is very open to abuse
I do agree though that both of them do contradict themselves, and i
realised this when i was putting the whole checklist together, but in some
weird way they need to be both there.


Tapped away... Booth, Simon
> Hi,
> I've finally found myself a couple of hours to go through the OWASP
> Checklist and have come across something which has confused me a little.
> OWASP-AD-002 states "Ensure that the application does not allow an
> attacker
> to reset or lockout users' accounts.", however, OWASP-AUTHN-008 then
> states
> "Ensure that the users account is locked out for a period of time when the
> incorrect password is entered more than a specific number of times
> (usually
> 5)."
> Whilst these two items contradict each other I can see the relavence
> behind
> both.  On one hand if user accounts are not locked out then the
> application
> is open to a brute force attack, on the other, if the accounts are locked
> out then this opens the application up to a DoS attack (on a per user
> basis).
> I am of the belief that accounts should not be locked out from logins, as,
> there are adequate measures that can be taken against brute force attacks
> (such as an IDS which can reject traffic under certain circumstances) and
> also the item OWASP-AUTHN-006 which states "Ensure that the password
> complexity makes guessing passwords difficult."
> I would be interested to hear your views on the above.
> Regards
> Simon Booth
> ***************************************************************************************
> The information in this email is confidential and may be legally
> privileged.
> It is intended solely for the addressee. Access to this email by anyone
> else
> is unauthorized.
> If you are not the intended recipient, any disclosure, copying,
> distribution
> or any action taken or omitted to be taken in reliance on it, is
> prohibited
> and may be unlawful. When addressed to our clients any opinions or advice
> contained in this email are subject to the terms and conditions expressed
> in
> the governing client engagement letter.
> *****************************************************************************************

More information about the Owasp-testing mailing list