Comments (7)
Hi Eliot,
I'm glad that the project has its first contributor :)
I agree that Devise's paranoid mode is relevant to mitigate user enumeration. However, the Devise wiki says
If you use Paranoid-mode on Devise, you're protected against user enumeration on confirmable, recoverable and unlockable modules, but not on registerable. One of the validations on creating a new user is for it to have an unique e-mail or login. So, we can't add a response that s to the register controller because the user will not know if his account was created or not.
There are two solutions that are very common in the internet, that should stop robots doing the enumeration:
Add a captcha;
Add a rule that blocks create requests for a few minutes after creating a small number of users. E.g. blocking an IP for five minutes after creating five users.
I haven't recommended turning on paranoid mode because it may give developers a false sense of security against user enumeration while the registerable module is stull vulnerable. A possible way to avoid this is to include a checklist item recommending turning on paranoid mode along with a code sample regarding the implementation of a captcha. Blocking an IP after creating a few users would not be effective if the attacker distributes the user enumeration process amongst multiple IPs (e.g. a botnet).
What do you think?
from zen-rails-security-checklist.
Sorry I haven't had time to think through the (re)captcha solution.
I haven't recommended turning on paranoid mode because it may give developers a false sense of security against user enumeration while the registerable module is stull vulnerable
I've had this concern too. In the end I decided to be clear about the registration exclusion in the text, see diff https://github.com/eliotsykes/rails-security-checklist/pull/26/files
from zen-rails-security-checklist.
I found a How To: Use Recaptcha with Devise in the Devise Wiki.
from zen-rails-security-checklist.
@eliotsykes This issue is highly relevant. Do you intend to submit a PR? I'm asking because if you don't, I'll do it...
Thank you.
from zen-rails-security-checklist.
And sorry I forgot to answer your PR question, please go ahead and take it on if you wish.
from zen-rails-security-checklist.
Nice text on your checklist. Thanks for sharing :)
from zen-rails-security-checklist.
Done! f9142d3
from zen-rails-security-checklist.
Related Issues (7)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zen-rails-security-checklist.