By: Alexandre Zia named 14 Nov 2021 at 8:40 a.m. CST

9 Responses
Alexandre Zia gravatar
It is possible for an attacker to enumerate existing user accounts when authenticationProtectionConfiguration is enabled in oxAuth. When authenticationProtectionConfiguration is enabled, oxauth adds a delay in login attempts after a configurable number of retries. However, this delay only triggers if the attempted account exists, if the attempted account does not exists the delay never triggers. Thus an attacker is able to determine if the account exists by observing the occurence of this delay on login attempts. This is a top priority for us, can you please implement the same delay when the attempted account does not exists? Regards

By Mohib Zico staff 14 Nov 2021 at 1:39 p.m. CST

Mohib Zico gravatar
Hi Zia, Please allow me to dig a bit and will get back to you soon. Thanks!

By Mohib Zico staff 17 Nov 2021 at 7:31 a.m. CST

Mohib Zico gravatar
Hello Zia, Can you please log into `https://files.gluu.org` one time? I am going to share a recording with you there.

By Alexandre Zia named 18 Nov 2021 at 1:25 p.m. CST

Alexandre Zia gravatar
I tried, but did not succeeded,

By Mohib Zico staff 18 Nov 2021 at 7:34 p.m. CST

Mohib Zico gravatar
Sorry, you can't login into files.gluu.org?

By Alexandre Zia named 19 Nov 2021 at 6:49 a.m. CST

Alexandre Zia gravatar
yes, I can't login tried local user, tried SSO,

By Mohib Zico staff 19 Nov 2021 at 7:19 a.m. CST

Mohib Zico gravatar
Hi Zia, >> yes, I can't login tried local user, tried SSO, Strange indeed. I'll check what's happening. BTW, I am sharing that screencast in youtube. I tried to test your scenario. Am I missing anything? Here it is: https://www.youtube.com/watch?v=umI1HgF_Ock&ab_channel=MohibZico

By Alexandre Zia named 19 Nov 2021 at 7:39 a.m. CST

Alexandre Zia gravatar
I saw your video, thanks, and I've noticed the delay is happening for you, for non existing accounts, However in my installation that does not occurs. I've also noticed some differences: - You're using 4.2 and I'm using 4.3 - I'm using Casa and you are not

By Mohib Zico staff 19 Nov 2021 at 9:57 a.m. CST

Mohib Zico gravatar
Thanks Zia. I tested in 4.3, seems like it's working as well. https://www.youtube.com/watch?v=CaptfHz6_oI&ab_channel=MohibZico There is one last difference between your setup and mine one. I am using CE, you are k8s.

By Alexandre Zia named 19 Nov 2021 at 10:27 a.m. CST

Alexandre Zia gravatar
I've just remembered another diference, I have changed the login username to require `mail` instead of default `uid` see attached screenshot in oxTrust -> Configuration -> Manage Authentication Primary Key and Local primary key