narmi2
asked on
Brute Force Attacks On AJAX
if someone knows how to spoof all the server variables e.g. http_referer, how do you stop them from writting a loop based on your ajax backend page?
if they look into the ajax frontend page, they will see something like
http://mysite/backend.aspx?=variable
How do I stop them from using a brute force attach to loop through the above address with all possible querystrings? For example, their loop might do something like this
http://mysite/backend.aspx?=a
http://mysite/backend.aspx?=b
http://mysite/backend.aspx?=c
....
http://mysite/backend.aspx?=x
http://mysite/backend.aspx?=y
http://mysite/backend.aspx?=z
http://mysite/backend.aspx?=aa
http://mysite/backend.aspx?=ab
...
http://mysite/backend.aspx?=nami
http://mysite/backend.aspx?=namj
http://mysite/backend.aspx?=namk
So on eventually returning lost of info they can steal.
Can an attach like this be done on gmail if you first login??
If no, how are they stopping brute force attacks like this???
if they look into the ajax frontend page, they will see something like
http://mysite/backend.aspx?=variable
How do I stop them from using a brute force attach to loop through the above address with all possible querystrings? For example, their loop might do something like this
http://mysite/backend.aspx?=a
http://mysite/backend.aspx?=b
http://mysite/backend.aspx?=c
....
http://mysite/backend.aspx?=x
http://mysite/backend.aspx?=y
http://mysite/backend.aspx?=z
http://mysite/backend.aspx?=aa
http://mysite/backend.aspx?=ab
...
http://mysite/backend.aspx?=nami
http://mysite/backend.aspx?=namj
http://mysite/backend.aspx?=namk
So on eventually returning lost of info they can steal.
Can an attach like this be done on gmail if you first login??
If no, how are they stopping brute force attacks like this???
ASKER
no idea.
do they also have the same problem?
if yes, any idea how to stop such a loop from stealing your data?
do they also have the same problem?
if yes, any idea how to stop such a loop from stealing your data?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will be having authentication, but cannot have it on all sections. the part where the authentication exists i am not worried about. unfortunately, we need to give them nice ajax functionality without them having to login...
any idea how google-suggest does it? can a brute force attack be used on their page?
thanks for all the suggestions
any idea how google-suggest does it? can a brute force attack be used on their page?
thanks for all the suggestions
Michel