[Catalyst] Rate limiting password attacks
Christian Storm
storm at iparadigms.com
Mon Aug 20 19:16:46 GMT 2007
He is referring to reposting of forms that are arrived at via the
back button, e.g.,
breaking the cycle submit form -> click back button -> submit form ->
etc.
The use case is for single use forms not for security. It wouldn't
do anything to
prevent a bot from scraping the HTML for that token and using it to
submit
the form.
On Aug 20, 2007, at 10:19 AM, Carl Johnstone wrote:
>
>> What's to stop the bot from grabbing the token from the home page and
>> using it in its attack? The token has to be something the
>> bot can't readily read, e.g., captcha.
>
> Bill said:
>
> "I have the ability to turn on form tokens on my forms, so to be able
> to post to a form you have to first fetch the single-use token from
> the form. That has been a big help with forms that send mail, but
> also aids in preventing reposting of forms -- in addition to redirect
> after post."
>
> So obviously they work for him. Anything that has an effect without
> causing accessibility problems for users has to be a good thing.
>
> In any case, I was just suggesting a way he could still make his
> existing token system work with a "static" page to save server
> resources.
>
> Carl
>
>
> _______________________________________________
> List: Catalyst at lists.rawmode.org
> Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/
> catalyst at lists.rawmode.org/
> Dev site: http://dev.catalyst.perl.org/
More information about the Catalyst
mailing list