system? Think about it. That's what makes the web be the web. No session
variable can get around it, as cookies can be disregarded or deleted by any
browser/hacker, and data can be intercepted between the browser and the
server they're sending login information to.
-nathan strutz
-----Original Message-----
From: Michael Dinowitz [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 02, 2003 2:52 PM
To: CF-Talk
Subject: security flaw in web services
It looks to me like there's a problem with web services, specifically the
ones
that allow logins. Basically, a username/password is sent to the service and
it
responds with data if the person is a valid user. What stops someone from
using
the web service again and again to test a un/pw until they get the right
one?
Maybe the answer is obvious and I don't see it.
checking amount of attempts per IP - ip can be forged
checking amount of attempts per UN - scheduled attempt or multiple UN tries
hidden communications key in stream - can be 'seen' (combined with SSL might
work)
--
Michael Dinowitz
Finding technical solutions to the problems you didn't know you had yet
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
