1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Limit username validation attempts to improve security

Discussion in 'XenForo Suggestions' started by Alfa1, Oct 31, 2015.

  1. Alfa1

    Alfa1 Well-Known Member

    The registration form has a username validation function. it seems this can be abused by attackers to find out what accounts are present on the site. The attacker can run a script to try millions of possible usernames to get a member list. I have recently encountered such attack on my vbulletin big board, as vbulletin has a similar function. I've tried it out and there does not seem to be any limitation on xenforo registration either.
    Once the attacker has a member list they are one step closer to hacking a site. Therefore I think it should be prevented.

    This can be prevented by implementing a limit on this function, so that a user can only try X times, after which the user will be locked out from using this function.
    Itworx4me, GliX, Mert and 11 others like this.
  2. Mouth

    Mouth Well-Known Member

    Yes, please.
    Mihailo likes this.
  3. HWS

    HWS Well-Known Member

    A user list can also be retrieved by simply parsing the thread pages. This also seems a lot easier for potential "hackers" and you have the additional "bonus" to know who is moderator and administrator. IMHO only a very silly hacker would target the registration page for this info. And if the hacker has success with a login, all he gets is the account with the weak password.

    If you own a large site you may have a firewall limiting the connections of a single client anyway...
    SneakyDave, Xon and ozzy47 like this.
  4. Alfa1

    Alfa1 Well-Known Member

    Thread pages only show posting members in public forums which is very incomplete with duplicate data therefore ineffective.
  5. Xon

    Xon Well-Known Member

    I implement fairly aggressive rate limiting for login & registration pages at the webserver level purely for this reason.
    Itworx4me, Alfa1 and HWS like this.
  6. Mouth

    Mouth Well-Known Member

    nginx? Happy to share the config?
  7. Alfa1

    Alfa1 Well-Known Member

    I do the same using LSWS, but unfortunately the upgrade to LSWS5 removed the related settings.

    Most boards will not have the possibility to limit connections per IP. And its possible to get around IP restrictions easily.

    While not a major vulnerability it is good practice to close any function that can be exploited.
  8. HWS

    HWS Well-Known Member

    I cannot see any exploit in getting some user names of a board. As said, you can get them more easily when parsing public thread pages.

    But you generally do not want a massive DOS attack at your registration and login pages by script kiddies trying to find passwords. This is the reason we limit them in our firewall.
    SneakyDave and Xon like this.
  9. Alfa1

    Alfa1 Well-Known Member

    As I already experienced such hack attack last week, I can tell you for a fact that its being exploited.

    One example: there are many databases that attackers can use with accounts & passwords. The attacker can check for the existence of such account names and then try if the known password for these accounts works on the system.

    There are various avenues an attacker can take. Checking for existing accounts should not be available en mass.
  10. Mert

    Mert Well-Known Member

    This is something that can be done through server lvl however i also will like to see improvements on this area as Alfa1's concern is pretty real , there are many hacked website database hanging around on internet where they are trying to match usernames to brute force passwords.

Share This Page