[NSFW] register form
-
* It is possible to know if an email entered belongs or not to a user of the application, this is possible in the password recovery form
* In the user registration form you can know if the username entered exists or not in the application, despite the fact that this is normal behavior and the user registry is protected by CAPTCHA through tests, it was possible to show that it is It is possible to send multiple requests varying the username and the response of this field to vary, thus allowing dictionary attacks focused on the enumeration
* In public files such as site map or configuration files it is possible to identify application users or emails associated with application users*-*-*-*-*-
* As a response to entering an email for password recovery, always show the message of the successful case
* Enumeration in the registration form is possible because individual responses are presented for each field, first perform the CAPTCHA validation, if negative, do not perform further field validations and present only this response
* If possible, remove usernames or emails from configuration files
- The topic ‘[NSFW] register form’ is closed to new replies.