Brute Force Login Success

Hi!

My store is being target of brute force login, and it is being successfull.

Looking the code, login post method doesnt have PublicAntiForgery or honeypot protection, why?

[HttpPost]
[CaptchaValidator]
//available even when a store is closed
[StoreClosed(true)]
//available even when navigation is not allowed
[PublicStoreAllowNavigation(true)]
public virtual ActionResult Login(LoginModel model, string returnUrl, bool captchaValid)

Thanks!

You're absolutely right. We'll check it - https://github.com/nopSolutions/nopCommerce/issues/2848

P.S. In the meantime you can enable CAPTCHA now

Thanks A.M.

I also recomend add a Sanitizer to prevent all kind of XSS in all input fields.

Our store is vulnerable to it too.

Like this: https://github.com/mganss/HtmlSanitizer

Thanks!

I also see that most model properties allow HTML. Why?

        [NopResourceDisplayName("Account.Login.Fields.Email")]
        [AllowHtml]
        public string Email { get; set; }

This is a XSS security breach and I believe you should remove it.

It's better to display a user-friendly error rather than an "Exception" screen

iob2000 wrote:
Please provide a list of steps how to reproduce the issue. I don't believe you can use it somehow in your certain example (Email).

You can simulate a POST using fake form data and, as there is no data sanitizer, XSS will be stored in DB and executed every time you want.

It is preety simple to do.

You can use hurl.it to simulate a post getting a valid nop form, as register for example.

I know how XSS works. But please clarify what exactly and on what page you can post (so it's "executed every time"). Please provide some example.