Sunday, February 19, 2006

Doh !!

From: orangeofficer@hushmail.com <orangeofficer@hushmail.com>
Date: Feb 14, 2006 12:35 PM
Subject: [Full-disclosure] Fun with Foundstone
To: full-disclosure@lists.grok.org.uk


Things for a security company not to do in a webapp:

1. Do not auto-populate form fields on the page with customer names.

2. If you ignore rule number 1, don't use a simple, predictable id
for said auto-population.

https://download.foundstone.com/?o=^2155

Rinse, increment, and repeat for a list of Foundstone
customers...or at least a list of companies they've let download
software.

Now that's just plain sloppy.

1 Comments:

Anonymous Anonymous said...

Looks like they've been reading your blog, because this doesn't work anymore.

I wish it worked with the passwords, too -- it took me two weeks to get them to give me a login to their download site!

Anyway, this blog post just affirms the hours I spent coding an auto-populate page that uses our long-ish customer id hashed together with the UNIX timestamp of when their account was created. Hard to guess, and hard to guess one an unknown id based on a known ID.

Sunday, March 12, 2006 9:55:00 PM  

Post a Comment

Links to this post:

Create a Link

<< Home