Products Forum Use this forum for questions and discussion about our products    FAQ   Search   Memberlist   Usergroups   Register   Profile   Log in to check your private messages   Log in  A suggestion for attacker          Products Forum Forum Index -> Support questions & how to use/enhance Vorras Antibot View previous topic :: View next topic   Author Message Roy Guest Posted: Sat Jan 29, 2005 9:37 am    Post subject: A suggestion for attacker The antibot 1.0 do not fulfil it's goal. The hashing does not useful anyway. Attacker can simpily submitting the captured hash value and the string together. e.g. http://www.vorras.com/cgi-bin/demo/antibot/pythonreply.cgi?sequence=hnjdb&realsequence=c110870b6595cb9533dac39308f1c57fc630d34a For a better solution, we should compare value in session. This is just a suggestion. You may ignore it but it is too easy to flood the polling if we use this antibot. Back to top haris Site Admin Joined: 22 Aug 2002 Posts: 40 Posted: Tue Feb 01, 2005 11:21 am    Post subject: Hi, How will the attacker get the string though? The attacker is not human, and is not supposed to be able to read the string itself. Therefore the attacker cannot form the URL you mention in your message. Haris Back to top Guest Posted: Fri Feb 25, 2005 1:53 pm    Post subject: Yes, the attacker is a bot, but the bot is made by human. Just keep on posting the same string, and this Vorras Antibot will accept the polling. That is why you want to make a image generation with noise. Because you don't want the bot to grep any string from the image name, and even the binary of the image to guess the string. (number) Putting the hash inside the page has violate the rule. The bot can grep the hash, and the number, It is easy to flood the polling. So, why not storing the number somewhere else but let client browser know it ? Back to top Roy Guest Posted: Fri Feb 25, 2005 1:54 pm    Post subject: Yes, the attacker is a bot, but the bot is made by human. Just keep on posting the same string, and this Vorras Antibot will accept the polling. That is why you want to make a image generation with noise. Because you don't want the bot to grep any string from the image name, and even the binary of the image to guess the string. (number) Putting the hash inside the page has violate the rule. The bot can grep the hash, and the number, It is easy to flood the polling. So, why not storing the number somewhere else but let client browser know it ? Back to top Guest Posted: Fri Feb 25, 2005 2:02 pm    Post subject: Actually, we do not need any bot to attack it too ! The following code showing that no bot is need. For flooding the polling, attacker can implement the two string pair in their bot. (do not need any guessing either !) <table border=0 cellspacing=0 cellpadding=1><tr> <td valign="middle" nowrap class="content"> Simply Press submit to bloom it.<br><br> <form action=http://www.vorras.com/cgi-bin/demo/antibot/pythonreply.cgi method=POST> Always use the same number</font> &nbsp;<br> <input type=text size=7 maxlength=15 name=sequence value=hnjdb><br> Always use the same matched hash<br> <input type=text name=realsequence value="c110870b6595cb9533dac39308f1c57fc630d34a"><br> <input type="Submit" value="Submit"> </form> </td></tr></table> Back to top Secret Kill Guest Posted: Fri Feb 25, 2005 2:17 pm    Post subject: Hashing itself cannot gurantee security, hashing is as simple as a one-way function. If you the server uses hash used statically without dynamic generation, it's useless. Back to top Secret Kill Guest Posted: Fri Feb 25, 2005 2:17 pm    Post subject: message Hashing itself cannot gurantee security, hashing is as simple as a one-way function. If you the server uses hash used statically without dynamic generation, it's useless. Back to top Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First         Products Forum Forum Index -> Support questions & how to use/enhance Vorras Antibot All times are GMT + 6.5 Hours Page 1 of 1   Jump to: Select a forum Vorras Mailer Forum----------------Support questions & how to use/enhance Vorras MailerAnnouncements Vorras Antibot Forum----------------Support questions & how to use/enhance Vorras AntibotAnnouncements General discussion----------------Programming issues  You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum Powered by phpBB © 2001, 2005 phpBB Group Copyright © 2005 Vorras Corporation. All rights reserved.