![]() ![]() Login page - this is the obvious point, and where most applications already have fairly standard protection, including good-practice of non-revealing errors etc.A confirmation email will be sent shortly to confirm the account" (or something like that) ![]() You can just say "Thanks for registering. I would also suggest not giving hints about username availability or the success of the registration process. Captcha can usually provide good protection, as well as timeouts, but won't stop manual, slower attacks. Signup/Registration - this can reveal which accounts are available as well as allow flooding your system with fake/stale accounts, name-squatting etc. ![]() When defending against such cases related to the the authentication process for a typical web application, you should normally take into account the following routes: In the case you described then it doesn't make any tangible security difference to try to hide the error reason on the login page, since it's trivial to discover the real reason otherwise.ĭepending on what's more important to you, you can either make your login process more user (and attacker) friendly, or instead try to secure your registration (or any other) process that might reveal which accounts exist on your system. If there's at least one way to discover which user names are available on the site, it then means that you can try to brute-force/dictionary-attack/social engineer those specific accounts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |