Bruteforce throttling vulnerability

[noguespi]

Using HTTP_X_FORWARDED_FOR in the key is useless because the client can set a random X-Forwarded-For and bypass throttling.
Secondly using email in the key is useless too because there is little chance the same IP needs to access multiples accounts and have lost its passwords for all its accounts.

The rare case when one IP need to access multiple accounts is when it's behind a reverse proxy. In this case the 'HTTP_X_FORWARDED_FOR' should be used if it's properly set by the reverse proxy and not overridable.

Most of the time web application aren't behind reverse proxy so it's safe to only check REMOTE_ADDR

[andrew13]

What happens when someone is behind a reverse proxy then?

[noguespi]

I think you mean someone behind a proxy and not a reverse proxy because only a server can be behind a reverse proxy (and all the client in front of the reverse proxy so in this case we use HTTP_X_FORWARDED_FOR instead of REMOTE_ADDR, because in this case most of the time we own the reverse proxy so we can trust the x-forward header). But like I said, most of the time server aren't behind reverse proxy.

But if someone is using a proxy, well the REMOTE_ADDR will be used, if multiple people connect from the same proxy and have loggin error, they will be all throttled. But that's not like it's going to happen a lot, it's a specific case. But If you keep X_FORWARDED_FOR in your session key, the throttle protection is useless because hacker can just spoof x-forwarded-for with random().

[noguespi]

By the way, you don't have to ban the IP, to avoid false positive and limit bruteforce, just display a captcha

[andrew13]

Yeah captcha would be the best choice and there's plans to add it. Just haven't gotten around to doing so.

[andrew13]

Now I just need to figure out why the build is failing, and it'll get merged.

[andrew13]

Addressed this in: da0f75e