Description

Goals

Documentation Uses

Overview

Background

Contributors

Classes of Attack

Contact

Appendix

License


Contributors
Robert Auger
Ryan Barnett
Yuval Ben-Itzhak
Erik Caso
Cesar Currudo
Sacha Faust
JD Glaser
Jeremiah Grossman
Sverre H. Huseby
Amit Klein
Mitja Kolsek
Aaron C. Newman
Steve Orrin
Bill Pennington
Ray Pompon
Mike Shema
Ory Segal
Caleb Sima



Insufficient Anti-automation
Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually. Certain web site functionalities should be protected against automated attacks.s

Left unchecked, automated robots (programs) or attackers could repeatedly exercise web site functionality attempting to exploit or defraud the system. An automated robot could potentially execute thousands of requests a minute, causing potential loss of performance or service.

For example, an automated robot should not be able to sign up ten thousand new accounts in a few minutes. Similarly, automated robots should not be able to annoy other users with repeated message board postings. These operations should be limited only to human usage.


References

Telling Humans Apart (Automatically)
http://www.captcha.net/

"Ravaged by Robots!", By Randal L. Schwartz
http://www.webtechniques.com/archives/2001/12/perl/

".Net Components Make Visual Verification Easier", By JingDong (Jordan) Zhang
http://go.cadwire.net/?3870,3,1

"Vorras Antibot"
http://www.vorras.com/products/antibot/

"Inaccessibility of Visually-Oriented Anti-Robot Tests"
http://www.w3.org/TR/2003/WD-turingtest-20031105/



Search this site
Home :: About Us :: Projects :: Mailing Lists :: Library :: News :: Links :: Contact Us
© Copyright 2005, Web Application Security Consortium. All rights reserved.