Collaborate Disseminate
Our concern is more on application side prevention automated attacks. Although the firewall does it part to help prevent this, it has been mandated in our development team’s security practices that we need a 2nd level of protection. Soluti… Continue reading Preventing automated attacks on Tokens without relying on Firewall or Network Infrastructure
We have a system where if you forgot your password and want to reset it, to go to the forgot password page and enter your email address. A temporary link will be sent to your email to reset your password.
Now, when we subjected our app to… Continue reading Password reset giving clues of possible valid email addresses
If a website uses an auto-incrementing user-id in its url – /users/1, /users/2 to showcase public user profiles (just the name + photo / avatar) is it considered a possible vulnerability?
What are some methods for preventing account enumeration on login when accounts have optional two factor authentication?
Without two factor authentication we would just return the same response for wrong username, wrong password, and acco… Continue reading Preventing account enumeration with 2FA
I have two user accounts on my PC. About 2 years ago I was doing some testing and left one of my local accounts open to RDP with no password accidentally for about a month.
A hacker got in and started screwing around before … Continue reading Are my Windows 10 User Accounts exposed?
I recently set up an SMTP server for myself to use, and I am getting some traffic from two IP addresses and none else (though for obvious reasons I will not state the addresses here).
An example session (which, in fact, repe… Continue reading Why would an attacker try SMTP login many times even though it is disabled?
If we email <username>@gmail.com and the address doesn’t exist (or is misspelled), our email provider will fail and return an “Undelivered Mail Returned to Sender” response.
Using a command line tool (preferably in Kal… Continue reading Email address enumeration tools? [on hold]
An OpenSSH bug that was reclassified as a vulnerability after it was fixed has made scary headlines – but the sky isn’t falling Continue reading Vulnerability in OpenSSH “for two decades” (no, the sky isn’t falling!)
We are forth and back discussing how to deal with privacy issues during failed authentication, password reset and account creation on a web application.
Let’s say I am in the process of creating an account on an application … Continue reading Dealing with violating privacy of registered users during failed authentication
It is a common recommendation to return “Username or password is incorrect” instead of “Username does not exist” when the given username does not exist and “Password is incorrect” when username exists but password is wrong.