Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
620hun81908yWith most sites you can check if a username exists by trying to register it. Once you know it does you can try to brute force it.
We have the same design in our current project, but afterwards the 3rd invalid password we block the user and ask them to reset their password in an email, also saying that there was a login attempt.
That sounds quite safe to me. -
I do this.. but it's not internet facing, just on my login system for a dsp control server. What kind of exploits would you try? I'm curious how exploitable it is (I don't really care though if it is exploitable..)
-
I always return "Incorrect email/password combination", on top of this I use ip/email lockouts that return the same thing.
@fatlard1993 it's pretty much just a standard brute force attack except you can skip the email if it doesn't exist which cuts down the time required of someone getting where they arnt supposed to be. worst case with it being internal you would use internal emails which could be scraped from you site and they could find one or two of them that works and just brute force those two instead of having to try every email even if it doesn't login -
@jckimble
I see so really it only opens doors to more novice-style brute forcing..? -
@fatlard1993 more or less, it makes it easier/cheaper on hackers. I look at it more as scanning than brute force when you give something reconizable to search for usernames or emails, cause at that point they have a list of vaild logins where they can use social engineering to get passwords, brute force the site or even brute force the email and reset the password. really it just opens more attack vectors than anything
Related Rants
-
aikone13Boot up a Linux live usb on a Windows machine, then rename cmd.exe to utilman.exe and after rebooting select a...
-
kb888I've recently red a blog post stating 'Google leaves x Million Android devices vulnerable to a new Exploit' I ...
-
armdev4So this story is from my University days. I was in the 6th semester back then, studying CS. My University web...
I make a typo in the username
"username doesn't exist"
I fix the typo and mess up the password
"incorrect password"
... I smell a potential exploit here...
undefined
exploit
never write prompts like that kids
potential vulnerability