New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User login security issues #14

Open
toiron opened this Issue Nov 23, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@toiron

toiron commented Nov 23, 2018

Login interface /edusec/index.php?R =site%2Flogin can use a password mechanism that does not prevent brute force cracking, and can use brute force cracking tools to iterate over user names and passwords.
Methods: burpsuite pro was used to grab the login packet of the user and then send it to the intruder function to violently guess the user name and password.
image
image
image

Solution: you can use a captcha mechanism, or you can use an account or limit the number of times an account name and password error can be checked

@EduSec

This comment has been minimized.

Owner

EduSec commented Nov 26, 2018

Hi Toiron,
Thank you for this message. We will add captcha in next update.
Please note in our new professional version, limit the number of times an account name and password plus captcha both are implemented.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment