Base solution for your next web application
Ends in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

Email verification && DDoS attacks #6843


User avatar
0
BobIngham created

Given the fact that phone number verification and Google Authentication are on the User Settings page doesn't it make sense to put email verification in the same place rather than on the sign in page? Putting it on the sign in page opens the system to all kinds of injection attacks.

Would you like me to open a request issue on the github pages for this request or is there a reasonable answer for why email verification is on the sign in page?

In fact doesn't the the sign in page itself open itself to all kinds of injection attacks? Without a recaptcha (Add reCAPTCHA to login page) a robot could easily flood the log files and bring the system crashing down. I think this is true even if lockout settings were set. Even then a host has no control over lockout settings at tenant level.

Can I politely request higher priority for the above issue and consider an option to put recaptcha on the signin page as an option at tenant level?

Of course I understand that 7.0 has priority over everything else at this moment.


9 Answer(s)
  • User Avatar
    0
    aaron created
    Support Team

    (Not addressing the discussion above, but please pardon me for raising a point: It is confusing when you use blockquotes to highlight your own points. Blockquotes are meant to be used to quote existing content. I suggest using bullet points to bring attention to your points instead. If you are agreeable and make the changes, then I am open to deleting this comment at your request.)

  • User Avatar
    0
    BobIngham created

    Aaron, I love you, but semantics, etymology and a tendency to dictate how one uses available tools to bring attention to a point whilst not adhering to your particular rules does not impress.

    All that given, can you give me an answer as to why email verification appears on the sign in page?
    

    Or can you give me information on possible penetration attacks on the current sign in page and give any guarantee that the Zero framework will not flood my logs under any DDoS attack. It's just a thought, no negative criticism intended.

  • User Avatar
    0
    aaron created
    Support Team

    semantics, etymology and a tendency to dictate how one uses available tools to bring attention to a point whilst not adhering to your particular rules does not impress.

    It isn't my rule, but a convention among developers. Also, code blocks are meant to be used to format code and logs. These are merely suggestions to help you make your posts more effective.

    All that given, can you give me an answer as to why email verification appears on the sign in page?

    (It does not actually appear on the sign in page, but a different page.) Email activation is done by many applications, to prevent an unauthenticated new user from signing in and creating content. Phone number verification on the User Settings page serves a different purpose. 2FA is still done on the sign in page, similar to email activation.

    Or can you give me information on possible penetration attacks on the current sign in page and give any guarantee that the Zero framework will not flood my logs under any DDoS attack.

    No, I am unable to. I suggest contributing to the discussion on the GitHub Issue that you linked.

  • User Avatar
    0
    BobIngham created

    That's a live site. Tell me how that is not open to DDoS.

  • User Avatar
    0
    alper created
    Support Team

    You can prevent DDos attacks on your firewall or gateway. As it's costly to handle DDos requests on the application level, it should be stopped before the application. https://www.esecurityplanet.com/network-security/how-to-prevent-ddos-attacks.html

  • User Avatar
    0
    alper created
    Support Team

    This is good library for Asp.Net Core to prevent flood attacks on the application layer. https://github.com/stefanprodan/AspNetCoreRateLimit

  • User Avatar
    0
    BobIngham created

    Thanks, Alper. I take it that this means no recaptcha on these pages?

  • User Avatar
    0
    alper created
    Support Team

    we can consider to add captcha for those. could you please create an issue regarding to your request.

  • User Avatar
    0
    BobIngham created