You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The default 6 characters might not be enough once bots discover a publicly accessible wizzarr instance.
Bruteforcing a link like https://wizzarr.somedomain.com/j/UDYQCA is fairly easy for an adversary once the domain is known. Even if the expiration duration is set to a low number.
Could the default number of random characters be prolonged, while still retaining he option to write shorter or personalized invites?
The text was updated successfully, but these errors were encountered:
Brute forcing a field that has 36^6 combinations, thats 2,176,782,336 possibilities, the server would most likely crash before they got the correct possibility, reCAPCHA is a future feature that will be added at some point but this would only be opt in if people choose to go set up a captcha account and fill in the api key, script kiddies aint gonna be brute force it with there little Dell XPS and 50kb internet connection lol. Also if your using the invites in the recommended way where they become stale after a single use then its even less that someones gonna be able to bruteforce it. We like to keep the invite links to a consistent format.
The default 6 characters might not be enough once bots discover a publicly accessible wizzarr instance.
Bruteforcing a link like https://wizzarr.somedomain.com/j/UDYQCA is fairly easy for an adversary once the domain is known. Even if the expiration duration is set to a low number.
Could the default number of random characters be prolonged, while still retaining he option to write shorter or personalized invites?
The text was updated successfully, but these errors were encountered: