[OpenID] OpenID as an attack relay
Martin Foster
martin at ethereal-realms.org
Mon Mar 19 16:25:36 UTC 2007
Some sites using my code are experiencing a phenomenon where users
register, gain access and use a certain component of the site in order
to attack another service. They use the systems check of an image URL
(by retrieving it and getting information on the file) to craft attack
strings used on vulnerable systems.
While I can create a throttle system that will check to see how often
modifications were made in that section and slow things down or skip it
entirely; it is more difficult to detect such an attack before a user
even authenticates against the system.
Since by nature OpenID identifiers must be verified to get information
on the identity provider and so forth, I can envision the OpenID enabled
version of the code to expose a new portion of itself to behave like an
attack relay. Is there anything at all in the specification that can
thwart such attempts?
Martin Foster
Creator/Designer Ethereal Realms
martin at ethereal-realms.org
More information about the general
mailing list