Many sites use timing mechanisms to deter botnets or lone systems from attempting to use brute force to find a correct user name and password combination. This security method is completely ineffective. Even a JavaScript user-pass cracker can be made to wait 1000 milliseconds, in order to be identified as users rather than heuristic attackers. This exploit works especially well on large servers which are designed to accommodate heavy traffic, and therefore often do not separate noise from an attack.
No comments:
Post a Comment