1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How good is the security

Discussion in 'XenForo Pre-Sales Questions' started by tenants, Jul 29, 2011.

  1. tenants

    tenants Well-Known Member

    How good is the security?

    Has much system penetration testing been done on this type of forum?

    And do you mind if I give the forum a quick scan (before I buy), I'll do it on the test forums..
  2. ibnesayeed

    ibnesayeed Well-Known Member

  3. tenants

    tenants Well-Known Member

    Yes, thats what I meant

    Is it okay if I do a quick security scan on the demo site before buying.
  4. ibnesayeed

    ibnesayeed Well-Known Member

    I believe, I am not the one to comment on this. Because, it might end up being a DoS attack for good reason. :)
  5. kkm323

    kkm323 Well-Known Member

    so far i never seen or heard of an attack against my/other sites, and I been using xf since beta 1.
    just to let you know, my site has been attacked twice using vb :(

    XF rocks :)
  6. Dean

    Dean Well-Known Member

    I've no idea what you mean by a quick security scan, I am sure someone will be along in the next several hours to give better input.
  7. tenants

    tenants Well-Known Member

    Using an automated tool to check for security issues (I use them at work)...
    They can take quite a bit of server resources, but my network is slow (With my slow network, it should be just like a few users browsing the site... but every bit of the demo site)

    I've been white hat security testing for years (and only recently has my work decided they would send me on training courses for security tools ...tsh)
    But the tools are quite good a picking up the obvious things
  8. ManagerJosh

    ManagerJosh Well-Known Member

    To what extent? I can tell you personally as a pen tester I've ran a number of SQL Injection and XSS programs against XenForo in its early beta and I have a hard time finding a vulnerability.

    I can tell you by default that the system is built to deny Javascript unless you allow for it in the templates.

    BTW, found the post where you can try :)


    From the barefoot god himself :p

  9. Onimua

    Onimua Well-Known Member

    Not to mention it's developed by two of the most highly-skilled developers in the forum community market. I'm sure they've got the basics down after over a decade of working with online communities. ;)
  10. maidos

    maidos Active Member

    well xf hasnt released any security patches that requires immediate attention, nor has any website that focuses on security exploit report, has any entries that is related with xenforo yet like
  11. James

    James Well-Known Member

    The only "vulnerability" that has been found is:
  12. Floris

    Floris Guest

    Which is more a feature abuse than a security issue or vulnerability .. obviously.

    It's no different than a group of idiots agreeing to meet at 8pm and mass post for 1 hour so the admin comes online to 1500 posts of goatse .. it's not a "hack", nor a vulnerability, it's idiots ruining a good thing for the rest and wasting people their time.
    James likes this.
  13. Floris

    Floris Guest

    During the alpha period I've run the alpha site through a proxy that auto injects and exploits everything it can find on the page, fuzzing, injecting, xss-ing, etc, there were 200 warnings, 0 results, 0 critical and 1 possible (which turned out to be google adsense that we were testing for integration. The 200 warnings were all cookie related, and the same one for each page (and wasn't actually a security issue, the scanner couldn't process the data and assumed it required a human to take a look.

    That's an unofficial scan done by 5 users during the alpha period, and no, xenforo limited didn't ask us to do that.
    Screen Shot 2011-07-29 at 8.01.37 PM.png

Share This Page