Security of Konishi #7
Comments
|
Lookup HTTPS. |
|
One minor thing but since I ran into it right away I'll just throw it out there - When trying to log in with incorrect credentials you return an error that's too specific. This opens you up a bit to exposing user creds since I am able to tell if a person does indeed have an account on the page which in turn drastically reduces my attack time should I try doing something funny. A better error is more general, along the lines of "The e-mail or password you entered is incorrect.". This makes the output more fuzzy and while it does slightly hinder ease-of-use for the end user it's a common practice. I'll try to help out more on security but I'm also just learning about that stuff so it's going to be a fun ride. |
|
We've discussed a similar issue before but the thing here is that an attacker can simply go to the registration page, fill out the details and check if that email is used or not. This is done for UX reasons. Ultimately it's still the backend's job to make sure that the security is tight. You can also use other tools to call the API endpoints to check if email is used etc. The backend has a lot of room for improvement in terms of security and things in general. For the frontend, it's preventing XSS, CSRF, the usual stuff. |
In github, the system complains about insecure packages. In npm, there are complaints. If I look at how the password is plain text at the registration step, I'm internally complaining. And a /p/ user looked through the site and said that within minutes he found all kinds of vulnerabilities.
I'm reading up on security, but I'm just generally a noob in all tangent fields here. We need to fix a lot of this before we release an actual beta. Just making this issue so it's on everyone's radar.
If anyone want to do a scan and report the security issues (possibly with solutions how to fix it), that'd be great.
The text was updated successfully, but these errors were encountered: