1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Limit username validation attempts to improve security

Discussion in 'XenForo Suggestions' started by Alfa1, Oct 31, 2015.

  1. Alfa1

    Alfa1 Well-Known Member

    The registration form has a username validation function. it seems this can be abused by attackers to find out what accounts are present on the site. The attacker can run a script to try millions of possible usernames to get a member list. I have recently encountered such attack on my vbulletin big board, as vbulletin has a similar function. I've tried it out and there does not seem to be any limitation on xenforo registration either.
    Once the attacker has a member list they are one step closer to hacking a site. Therefore I think it should be prevented.

    This can be prevented by implementing a limit on this function, so that a user can only try X times, after which the user will be locked out from using this function.
  2. Mouth

    Mouth Well-Known Member

    Yes, please.
    Mihailo likes this.
  3. HWS

    HWS Well-Known Member

    A user list can also be retrieved by simply parsing the thread pages. This also seems a lot easier for potential "hackers" and you have the additional "bonus" to know who is moderator and administrator. IMHO only a very silly hacker would target the registration page for this info. And if the hacker has success with a login, all he gets is the account with the weak password.

    If you own a large site you may have a firewall limiting the connections of a single client anyway...
    SneakyDave, Xon and ozzy47 like this.
  4. Alfa1

    Alfa1 Well-Known Member

    Thread pages only show posting members in public forums which is very incomplete with duplicate data therefore ineffective.
  5. Xon

    Xon Well-Known Member

    I implement fairly aggressive rate limiting for login & registration pages at the webserver level purely for this reason.
    Itworx4me, Alfa1 and HWS like this.
  6. Mouth

    Mouth Well-Known Member

    nginx? Happy to share the config?
  7. Alfa1

    Alfa1 Well-Known Member

    I do the same using LSWS, but unfortunately the upgrade to LSWS5 removed the related settings.

    Most boards will not have the possibility to limit connections per IP. And its possible to get around IP restrictions easily.

    While not a major vulnerability it is good practice to close any function that can be exploited.
  8. HWS

    HWS Well-Known Member

    I cannot see any exploit in getting some user names of a board. As said, you can get them more easily when parsing public thread pages.

    But you generally do not want a massive DOS attack at your registration and login pages by script kiddies trying to find passwords. This is the reason we limit them in our firewall.
    SneakyDave and Xon like this.
  9. Alfa1

    Alfa1 Well-Known Member

    As I already experienced such hack attack last week, I can tell you for a fact that its being exploited.

    One example: there are many databases that attackers can use with accounts & passwords. The attacker can check for the existence of such account names and then try if the known password for these accounts works on the system.

    There are various avenues an attacker can take. Checking for existing accounts should not be available en mass.
  10. Mert

    Mert Well-Known Member

    This is something that can be done through server lvl however i also will like to see improvements on this area as Alfa1's concern is pretty real , there are many hacked website database hanging around on internet where they are trying to match usernames to brute force passwords.
  11. GKBlaze

    GKBlaze Member

    I woke the other day to 1980 pages of errors in my server logs from someone using a script to send thousands of registration submissions every sec.
  12. Alfa1

    Alfa1 Well-Known Member

    Not long ago I had contact with Troy Hunt of https://haveibeenpwned.com about the mass of account databases that have been breached lately. Especially vbulletin forums. Troy can hardly keep up with the amount of databases that are available on the net. Here are the latest breaches: https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches

    There now are billions of account name & passwords combinations that hackers have access to. All they need to do is to query xenforo to see which of these exist on a site. Which can currently be done without limit. Then half of the work is done and the related passwords for those accounts can be tried with 4 attempts, but they only need one try per account to see if the password matches.

    I think it would be a good move if xenforo would treat this partial vulnerability as an important issue.
    KevinL, n00bsaibot and Mouth like this.
  13. ManagerJosh

    ManagerJosh Well-Known Member

    While user "enumeration" can be a potential vulnerability, actively querying the registration form is one hell of a noise maker.

    Trying to limit username validation by IP address is pointless in an "Internet of Things" era. A simple botnet could do thousands of queries anywhere decentralized. Example, look at the Mirai botnet. It was able to execute one of the largest DDoS attacks known thus far, and it all originated from compromised devices.

    Even if XenForo was to successfully implement a 'limit username validation' attempt, there is still a much less noisy method and a successful method an accurate and valid list usernames in anyone's XenForo installation: Download the site's sitemap.
    HWS likes this.
  14. zeroodz

    zeroodz New Member

    Yes please xenforo staff, here i have reason for you to do also, i hope you will implement this and improve security aspects, moreover you should let your community members force to change password as a dump of username + password is available easily.

  15. ozzy47

    ozzy47 Well-Known Member

    You need to like the first post. ;)
  16. ManagerJosh

    ManagerJosh Well-Known Member

    It's lacking a lot of context to properly address any vulnerability or risk.
  17. Jake B.

    Jake B. Well-Known Member

Share This Page