[OpenID] OpenID as an attack relay

Ben Laurie benl at google.com
Mon Mar 19 16:28:55 UTC 2007


On 3/19/07, Martin Foster <martin at ethereal-realms.org> wrote:
> Some sites using my code are experiencing a phenomenon where users
> register, gain access and use a certain component of the site in order
> to attack another service.   They use the systems check of an image URL
> (by retrieving it and getting information on the file) to craft attack
> strings used on vulnerable systems.

Can you describe this in more detail? I don't get what you're describing.

>
> While I can create a throttle system that will check to see how often
> modifications were made in that section and slow things down or skip it
> entirely;  it is more difficult to detect such an attack before a user
> even authenticates against the system.
>
> Since by nature OpenID identifiers must be verified to get information
> on the identity provider and so forth, I can envision the OpenID enabled
> version of the code to expose a new portion of itself to behave like an
> attack relay.   Is there anything at all in the specification that can
> thwart such attempts?
>
>         Martin Foster
>         Creator/Designer Ethereal Realms
>         martin at ethereal-realms.org
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



More information about the general mailing list