Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] Insufficient Anti-Automation – Brute Force Attack #991

Closed
ybelenko opened this issue May 30, 2019 · 2 comments

Comments

@ybelenko
Copy link
Contributor

commented May 30, 2019

Feature Request

About audited Directus version.
It has been cloned from suite repo.
Latest commit directus/directus@1d151a9

Description:

Insufficient Anti-automation occurs when a web application permits an attacker to automate a process that was originally designed to be performed only in a manual fashion, i.e. by a human web user.

Business risk:

Once exploited, attackers can use an automatic tool or a simple script that performs a brute-force authentication attempts, and possible cause a legitimate user lock out.

Technical details:

The login mechanism of the application does not prevent a brute-force on login attempts and on change password function.

What problem does this feature solve?

Fixes security hole.

How do you think this should be implemented?

Would you be willing to work on this?

Maybe, with help/guidance from Directus team.

@ybelenko

This comment has been minimized.

Copy link
Contributor Author

commented May 30, 2019

In comparison to #982 this issue is definitely about Captcha.

@ybelenko

This comment has been minimized.

Copy link
Contributor Author

commented May 30, 2019

I've read discussion at directus/app#219 and I would suggest to make Captcha optional feature disabled by default.

@benhaynes benhaynes added this to Needs triage in Bug Triage via automation May 31, 2019

@bjgajjar bjgajjar moved this from Needs triage to Medium priority in Bug Triage Jun 6, 2019

urvashithakar pushed a commit to urvashithakar/api that referenced this issue Jun 26, 2019

bjgajjar added a commit to bjgajjar/api that referenced this issue Jul 4, 2019

@bjgajjar bjgajjar closed this in 8fc1546 Jul 4, 2019

Bug Triage automation moved this from Medium priority to Closed Jul 4, 2019

@bjgajjar bjgajjar added this to Done in v2.2.2 Jul 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
2 participants
You can’t perform that action at this time.