|
|
Posted by Alexander Mueller on 01/10/08 22:31
Ben C wrote:
>
> So why wouldn't this work just as well:
>
> 1. The user requests a site.
> 2. The server sends the login form, which also contains a hidden input
> whose value is a number picked out of a hat, which we call x.
> 3. The user enters the necessary information and submits the form.
> 4. The browser receives in the formdata at least two items: the password
> and a number. It checks the user's password (by hashing it and
> looking for it in a list of stored hashes, for the sake of argument)
> and also that the number is equal to x. If either check fails it
> refuses to go any further. Either way it makes a note never to accept
> x again.
An attacker would have determined both values, discarded the number,
send his own request which gets him his own number and sends the
password along with his number. There he goes.
Alexander
Navigation:
[Reply to this message]
|