Secret Question and Answer

A user's password could be  Richmond  with a secret question of

 Where were you born . An attacker could then limit a secret answer

Brute Force attack to city names. Furthermore, if the attacker knows

a little about the target user, learning their birthplace is also an easy

task.

References

 Protecting Secret Keys with Personal Entropy , By Carl Ellison, C.

Hall, R. Milbert, and B. Schneier

http://www.schneier.com/paper personal entropy.html

 Emergency Key Recovery without Third Parties , Carl Ellison

http://theworld.com/~cme/html/rump96.html

2   A u t h o r i z a t i o n

The Authorization section covers attacks that target a web site's

method of determining if a user, service, or application has the

necessary permissions to perform a requested action. For example,

many web sites should only allow certain users to access specific

content or functionality. Other times a user's access to other

resources might be restricted. Using various techniques, an attacker

can fool a web site into increasing their privileges to protected areas.

2.1  Credential/Session Prediction

Credential/Session Prediction is a method of hijacking or

impersonating a web site user. Deducing or guessing the unique

value that identifies a particular session or user accomplishes the

attack. Also known as Session Hijacking, the consequences could

allow attackers the ability to issue web site requests with the

compromised user s privileges.

14

Copyright 2004, Web Application Security Consortium. All rights reserved.