How good is the security

[tenants]

How good is the security?

Has much system penetration testing been done on this type of forum?

And do you mind if I give the forum a quick scan (before I buy), I'll do it on the test forums..

 

[ibnesayeed]

Why don't you try http://xenforo.com/demo/

 

[tenants]

Yes, thats what I meant

Is it okay if I do a quick security scan on the demo site before buying.

 

[ibnesayeed]

I believe, I am not the one to comment on this. Because, it might end up being a DoS attack for good reason.

 

[kkm323]

so far i never seen or heard of an attack against my/other sites, and I been using xf since beta 1.
just to let you know, my site has been attacked twice using vb

XF rocks

 

[Dean]

I've no idea what you mean by a quick security scan, I am sure someone will be along in the next several hours to give better input.

 

[tenants]

Using an automated tool to check for security issues (I use them at work)...
They can take quite a bit of server resources, but my network is slow (With my slow network, it should be just like a few users browsing the site... but every bit of the demo site)

I've been white hat security testing for years (and only recently has my work decided they would send me on training courses for security tools ...tsh)
But the tools are quite good a picking up the obvious things

 

[ManagerJosh]

Using an automated tool to check for security issues (I use them at work)...
They can take quite a bit of server resources, but my network is slow (With my slow network, it should be just like a few users browsing the site... but every bit of the demo site)

I've been white hat security testing for years (and only recently has my work decided they would send me on training courses for security tools ...tsh)
But the tools are quite good a picking up the obvious things

To what extent? I can tell you personally as a pen tester I've ran a number of SQL Injection and XSS programs against XenForo in its early beta and I have a hard time finding a vulnerability.

I can tell you by default that the system is built to deny Javascript unless you allow for it in the templates.

BTW, found the post where you can try

http://xenforo.com/community/threads/script-alert-hello-script.1469/

From the barefoot god himself

Go ahead and try. XenForo's template system is highly resilient to accidental XSS, as you will see when we demonstrate its workings.

 

[Onimua]

Not to mention it's developed by two of the most highly-skilled developers in the forum community market. I'm sure they've got the basics down after over a decade of working with online communities.

 

[maidos]

well xf hasnt released any security patches that requires immediate attention, nor has any website that focuses on security exploit report, has any entries that is related with xenforo yet like
http://www.exploit-db.com

 

[James]

The only "vulnerability" that has been found is:

How Tedious are Script Kiddies?

It has come to our attention that various sites running XenForo are being targeted by script kiddies who are repeatedly visiting a page that results in an email being sent to a member, sometimes resulting in dozens of emails arriving in your inbox. This action can not result in secure information being leaked, or compromise the security of the system but it certainly is annoying if your inbox starts to fill up. To combat this, we have added two systems that should put a stop to the tedious antics.

 

[Floris]

Which is more a feature abuse than a security issue or vulnerability .. obviously.

It's no different than a group of idiots agreeing to meet at 8pm and mass post for 1 hour so the admin comes online to 1500 posts of goatse .. it's not a "hack", nor a vulnerability, it's idiots ruining a good thing for the rest and wasting people their time.

 

[Floris]

During the alpha period I've run the alpha site through a proxy that auto injects and exploits everything it can find on the page, fuzzing, injecting, xss-ing, etc, there were 200 warnings, 0 results, 0 critical and 1 possible (which turned out to be google adsense that we were testing for integration. The 200 warnings were all cookie related, and the same one for each page (and wasn't actually a security issue, the scanner couldn't process the data and assumed it required a human to take a look.

That's an unofficial scan done by 5 users during the alpha period, and no, xenforo limited didn't ask us to do that.