[OpenID] OpenID as an attack relay
benl at google.com
Mon Mar 19 16:28:55 UTC 2007
On 3/19/07, Martin Foster <martin at ethereal-realms.org> wrote:
> Some sites using my code are experiencing a phenomenon where users
> register, gain access and use a certain component of the site in order
> to attack another service. They use the systems check of an image URL
> (by retrieving it and getting information on the file) to craft attack
> strings used on vulnerable systems.
Can you describe this in more detail? I don't get what you're describing.
> While I can create a throttle system that will check to see how often
> modifications were made in that section and slow things down or skip it
> entirely; it is more difficult to detect such an attack before a user
> even authenticates against the system.
> Since by nature OpenID identifiers must be verified to get information
> on the identity provider and so forth, I can envision the OpenID enabled
> version of the code to expose a new portion of itself to behave like an
> attack relay. Is there anything at all in the specification that can
> thwart such attempts?
> Martin Foster
> Creator/Designer Ethereal Realms
> martin at ethereal-realms.org
> general mailing list
> general at openid.net
More information about the general