[prev in list] [next in list] [prev in thread] [next in thread]
List: webappsec
Subject: Re: preventing sign up forms from being used for user enumeration
From: Nathan Bijnens <nbijnens () servs ! eu>
Date: 2007-07-02 21:53:42
Message-ID: 468973E6.5060406 () servs ! eu
[Download RAW message or body]
[Attachment #2 (multipart/mixed)]
Let people enter an email address. If it isn't used mail them with a
unique link to continue the registration process. If it is allready used
don't send a mail?
Robin Wood wrote:
> Hi
> I'm developing a application which requires users to sign up with both
> a username and an email address. I only want an email address to sign
> up once and don't want duplication of usernames.
>
> If I just put up a warning stating that an email address is already
> registered if it is, the form is open to being used for user
> enumeration. Apart from using things like captchas to try to defeat
> automated attacks, is there any way to stop this?
>
> I know on things like forgotten password forms you can ask for extra
> info so someone guessing would have to get both bits right but I can't
> think of a way to do this here.
>
> Robin
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> The Twelve Most Common Application-level Hack Attacks
> Hackers continue to add billions to the cost of doing business online
> despite security executives' efforts to prevent malicious attacks. This
> whitepaper identifies the most common methods of attacks that we have
> seen, and outlines a guideline for developing secure web applications.
> Download today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
> --------------------------------------------------------------------------
>
--
Nathan Bijnens | Zaakvoerder | nbijnens@servs.eu | +32 486 15 88 29
Servs BVBA | http://servs.eu | BTW BE 0888 048 856 | 001-5180517-17
["nbijnens.vcf" (text/x-vcard)]
["smime.p7s" (application/x-pkcs7-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic