Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How robots and spiders are causing issues, how to stop them. We can also talk about Completely Automated Public Turing Test To Tell Computers And Humans Apart - their use, their compliance issues, porn proxies, PWNtcha and other ways to defeat them. 

Current Page: 1 of 1
Results 1 - 14 of 14
5 years ago
NickWilliams
If an attacker can utilize javascript that is executed within your domain, you're pretty well hosed with regard to traditional http. Even if you disable XHR (would be curious to know how you planned to do this) they can still create a form and submit it. The following is a half-baked idea: Flash or Silverlight would give you a channel that the javascript wouldn't be able to screw with, but
Forum: CSRF and Session Info
5 years ago
NickWilliams
I think the best example is Amazon's Web Services; they utilize HMAC-SHA1 extensively. Their documentation also describes the process thoroughly: http://docs.amazonwebservices.com/AmazonS3/2006-03-01/index.html?RESTAuthentication.html Further, it looks like they transmit the timestamp visibly as well as use it in creating the hash. This will ensure that the timestamp sent by the client is act
Forum: CSRF and Session Info
5 years ago
NickWilliams
Synchronization of timestamps is tough. Generally the server and client do some handshaking and the client estimates its latency to adjust the timestamp it sends in an attempt to match the server's. The server also applies a tolerance but, in our situation, this requires additional processing at high cost depending on the resolution of the timestamp (e.g. calculate timestamp for 1 second ago, 2
Forum: CSRF and Session Info
5 years ago
NickWilliams
gunwant_s Wrote: ------------------------------------------------------- > You mean besides concatenating the salt, I should > also append the time-stamp to it before sending > the credentials to the server. You don't think > it's already mitigating replay attacks. Any > scenario you can provide to show how a replay > attack can take place w/o the time-stamps > appende
Forum: CSRF and Session Info
5 years ago
NickWilliams
There shouldn't be any way to do this. HTML spec dictates that all browsers should URLEncode parameters for a form with enctype=application/x-www-form-urlencoded before sending the message. If you did find a way to do this it would definitely be browser specific as it will have been an oversight on the browser manufacturer's part. There is no way to override the Content-Type a browser assigns
Forum: CSRF and Session Info
5 years ago
NickWilliams
It is difficult to ascertain what you are trying to say, gunwant. I hope that in the future people replying to this thread will be patient and helpful rather than volatile like that of Malkav. Firstly, what you've mentioned sounds an awful lot like HMAC (http://en.wikipedia.org/wiki/HMAC). HMAC will ensure that the message is coming from an authentic source and it will also ensure the message
Forum: CSRF and Session Info
6 years ago
NickWilliams
I would imagine the system is fairly simple consisting of the web service for uploading/checking status of the captcha's along with another side of the system for retrieval and answering done by the hired labor - whether it be a web app or desktop app... not all that much involved. Any code you might see likely wouldn't impress anyone unless it belongs in a post on The Daily WTF.
Forum: Robots/Spiders/CAPTCHAs, oh my
6 years ago
NickWilliams
The "Offshore Incorporation - Lawsuit and Asset Protection" post on their blog might also have something to do with it.
Forum: Robots/Spiders/CAPTCHAs, oh my
6 years ago
NickWilliams
The service is real, believe it or not. I came across it several months ago shortly after it was released... at one point you would reliably receive a response in less than a minute. Their business model is obviously: offer it free to the Average Joe, and if Average Joe turns into Often Joe they negotiate a fee for the 'bulk processing'. They state on their site that they aren't accepting cus
Forum: Robots/Spiders/CAPTCHAs, oh my
7 years ago
NickWilliams
How about after submit, the pass phrase is validated against known/popular phrases by Googling it or the likes. I often wonder why a limit is placed on passwords these days... especially for things like web applications where the length is never really an issue (unless using a field type that truncates to 255, but even then it's easy to design for).
Forum: News and Links
7 years ago
NickWilliams
trev Wrote: ------------------------------------------------------- > NickWilliams, removing "Powered by Wordpress" is > unfortunately not enough. I have seen spammers > coming from search requests like "XHTML: You can > use these tags: <a href" - the "powered by" > strings are obviously not reliable enough and > spammers switch to characte
Forum: Robots/Spiders/CAPTCHAs, oh my
7 years ago
NickWilliams
I'm referring to software specifically written to spam a service, blog, mine data, etc, whether it be in a spider-like system or targeted towards a specific service/domain such as Blogger. If you want to update things every two days.. Why update the captcha? Why have a captcha at all? Why not just rename the form fields every two days? My point was, javascript is not a barricade against bo
Forum: Robots/Spiders/CAPTCHAs, oh my
7 years ago
NickWilliams
It really is rather trivial. The MSHTML/shdocvw.dll library allows direct implementation of Internet Explorer's rendering engine et all. To break the Hayes Captcha it's a matter of dropping in the shdocvw.dll active-x control (high level/simple implementation) and navigating the page, and then simply navigating to the javascript Trev has provided. You could also port the javascript over to your
Forum: Robots/Spiders/CAPTCHAs, oh my
7 years ago
NickWilliams
jungsonn Wrote: ------------------------------------------------------- > As long as no one can launch an *automated* attack > on CAPTCHA's with Javascript I really think they > work, and aren't broken. What logic are you using to determine that no one can launch an automated attack? Most automated spider systems I've worked on (Literally 85% out of dozens) are not simply winsoc
Forum: Robots/Spiders/CAPTCHAs, oh my
Current Page: 1 of 1