Before reading, please know that my intent is not malicious. I seek only to point out the poor security of many CGI login forms.

I recently wrote a simple batch file that ultilized cURL to carry out a limited dictionary attack on a CGI program. If anyone is unfamiliar with this, cURL is basically a command line tool for making HTTP, FTP, etc requests. I used 2,000 common passwords. It was suprisingly easy, and could be summed up in one line:

FOR %%pass IN (list) DO CURL -d "username=username&password=%%pass">>results.html

I tested it out on a smaller scale on my own account on one of the various webservices I use, and suprisingly, it worked. It scares me that with my limited experience in programming, I was still able to do this. It's also alarming that many sites still have unlimited login attempts.