[WEB SECURITY] Bypassing of security mechanisms

MustLive mustlive at websecurity.com.ua
Wed Sep 28 12:33:54 EDT 2011


Hello participants of Mailing List.

I will draw your attention to my two articles concerning bypassing of
security mechanisms. Which I'll tell you briefly about.

In August, among different my articles, I wrote two ones in which I've
described my methods of bypassing of security mechanisms at web sites. This
topic should be interesting for you.

1. Bypassing of captchas and blocking at web sites
http://websecurity.com.ua/5334/

2. Bypassing of blocking by IP at web sites
http://websecurity.com.ua/5352/

In the first article I told about bypassing such protections as captchas and
blocking at sites. I saw a lot of web sites with such security mechanisms
for last two years (first time I met such one in 2009). And developed this
method of bypassing of blocking, and in July I've used it to bypass captcha
too. And I've already mentioned about such protection mechanisms and their
bypass last year in my article "Using of safety mechanisms for blocking
access to the site"
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-August/007003.html).

Besides, in this article I wrote about vulnerability in MyBB - as an example
of such attacks. Which I've already disclosed at the beginning of the month
(http://lists.grok.org.uk/pipermail/full-disclosure/2011-September/082625.html).

In the second article, I wrote about bypassing of more robust protection -
blocking by IP. After for last time I saw and bypassed such protection
mechanisms (captcha and blocking by IP) at one card processing PCI DSS
site, I've decided to write these articles. If web developers (and PCI
DSSers who should not miss such weaknesses during their audit of the
sites) have missed what I wrote about such attacks in my 2010's article.

I've not translated them to English. So if somebody will find them
interesting (one or both articles), he can request a translation ;-). There
are a lot of web sites in Internet which can be attacked with using of such
methods.

Best wishes & regards,
MustLive
http://soundcloud.com/mustlive 






More information about the websecurity mailing list