Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]
---------------------------------------------------------
Macromedia Associate Partner
www.macromedia.com
---------------------------------------------------------
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com
----- Original Message -----
From: Michael Dinowitz
To: CF-Talk
Sent: Thursday, October 02, 2003 2:51 PM
Subject: security flaw in web services
It looks to me like there's a problem with web services, specifically the ones
that allow logins. Basically, a username/password is sent to the service and it
responds with data if the person is a valid user. What stops someone from using
the web service again and again to test a un/pw until they get the right one?
Maybe the answer is obvious and I don't see it.
checking amount of attempts per IP - ip can be forged
checking amount of attempts per UN - scheduled attempt or multiple UN tries
hidden communications key in stream - can be 'seen' (combined with SSL might
work)
--
Michael Dinowitz
Finding technical solutions to the problems you didn't know you had yet
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
