• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

How good is the security

tenants

Well-known member
#1
How good is the security?

Has much system penetration testing been done on this type of forum?

And do you mind if I give the forum a quick scan (before I buy), I'll do it on the test forums..
 

kkm323

Well-known member
#5
so far i never seen or heard of an attack against my/other sites, and I been using xf since beta 1.
just to let you know, my site has been attacked twice using vb :(

XF rocks :)
 

Dean

Well-known member
#6
I've no idea what you mean by a quick security scan, I am sure someone will be along in the next several hours to give better input.
 

tenants

Well-known member
#7
Using an automated tool to check for security issues (I use them at work)...
They can take quite a bit of server resources, but my network is slow (With my slow network, it should be just like a few users browsing the site... but every bit of the demo site)

I've been white hat security testing for years (and only recently has my work decided they would send me on training courses for security tools ...tsh)
But the tools are quite good a picking up the obvious things
 

ManagerJosh

Well-known member
#8
Using an automated tool to check for security issues (I use them at work)...
They can take quite a bit of server resources, but my network is slow (With my slow network, it should be just like a few users browsing the site... but every bit of the demo site)

I've been white hat security testing for years (and only recently has my work decided they would send me on training courses for security tools ...tsh)
But the tools are quite good a picking up the obvious things
To what extent? I can tell you personally as a pen tester I've ran a number of SQL Injection and XSS programs against XenForo in its early beta and I have a hard time finding a vulnerability.

I can tell you by default that the system is built to deny Javascript unless you allow for it in the templates.

BTW, found the post where you can try :)

http://xenforo.com/community/threads/script-alert-hello-script.1469/

From the barefoot god himself :p


Go ahead and try. XenForo's template system is highly resilient to accidental XSS, as you will see when we demonstrate its workings.
 

Onimua

Well-known member
#9
Not to mention it's developed by two of the most highly-skilled developers in the forum community market. I'm sure they've got the basics down after over a decade of working with online communities. ;)
 

James

Well-known member
#11
The only "vulnerability" that has been found is:
How Tedious are Script Kiddies?

It has come to our attention that various sites running XenForo are being targeted by script kiddies who are repeatedly visiting a page that results in an email being sent to a member, sometimes resulting in dozens of emails arriving in your inbox. This action can not result in secure information being leaked, or compromise the security of the system but it certainly is annoying if your inbox starts to fill up. To combat this, we have added two systems that should put a stop to the tedious antics.
 
F

Floris

Guest
#12
Which is more a feature abuse than a security issue or vulnerability .. obviously.

It's no different than a group of idiots agreeing to meet at 8pm and mass post for 1 hour so the admin comes online to 1500 posts of goatse .. it's not a "hack", nor a vulnerability, it's idiots ruining a good thing for the rest and wasting people their time.
 
F

Floris

Guest
#13
During the alpha period I've run the alpha site through a proxy that auto injects and exploits everything it can find on the page, fuzzing, injecting, xss-ing, etc, there were 200 warnings, 0 results, 0 critical and 1 possible (which turned out to be google adsense that we were testing for integration. The 200 warnings were all cookie related, and the same one for each page (and wasn't actually a security issue, the scanner couldn't process the data and assumed it required a human to take a look.

That's an unofficial scan done by 5 users during the alpha period, and no, xenforo limited didn't ask us to do that.
Screen Shot 2011-07-29 at 8.01.37 PM.png