Account Harvesting and Defense Example

Account Harvesting

  • A technique to determine legitimate user id or/and password of a vulnerable application.
  • Works where target application returns different error message for correct/incorrect user id with correct/incorrect password combinations.

  • Using some script/tool attacker can apply dictionary or brute force attack and can harvest valid user id’s to a file.
  • Same good user id’s file can be furtherly use to harvest passwords.
  • If the target application does lock out accounts , the attacker can easily conduct a DOS attack using the harvested user’s id information.

Account Harvesting Defenses

  • Instead of telling “User id was incorrect” or “Your password is incorrect”, message should contain single error message for improper authentication information.

Note: Accompanying  information sent back to the browser must be completely consistent for the two scenarios, including the raw HTML, URL displayed in the browser, cookies, and any hidden form elements. Even a single space or period that is different between two authentication error conditions could tip off an attacker’s script.


Post a Comment