0

I have seen a lot of articles about creating a feature on a register page where usernames will be automatically checked in the database so the user can know if his username has been taken already. However, this seems to be very insecure to me. I think (am not sure) that hackers could flood the PHP script that checks the database and overload the server. What are the potential security risks of setting up a system like those described in the articles below and what are solutions for those issues? I'm thinking things like DDoS and brute forces, but I really don't know. Thanks.

Articles on the topic:

Improve this question
4
  • In what way is this insecure? If you do it correctly, it can be VERY beneficial, in fact. Commented Jun 15, 2016 at 2:21
  • That was my question, are there any major security risks? I know that it is very beneficial when done correctly so I wanted to make sure that it was not insecure. Commented Jun 15, 2016 at 2:47
  • My mistake. I can't think of any real security risks other than poor input validation and sanitisation. Commented Jun 15, 2016 at 2:48
  • Zach, you don't think this question is wildly too broad (even though you wrote it)? :p ... This would be an amazing question for Quora dot com Commented Jun 15, 2016 at 3:16

1 Answer 1

Reset to default
2

Security impact of allowing user (or hackers) to identify existence about usernames can be very different. Actually usernames and emails are identical for user enumeration. So what we gonna do when someone try to register with email that already exist on database ? Are we gonna say "This e-mail has been used" ? Which is also user enumeration. What I'm try to say is, we do NOT have %100 solution for enumeration vulnerabilities during registration.

But your question is not about that, as an security engineer we need to find a decent secure design for "this" feature.

One of the most common prevention for these kind of cases is "rate limiting". You can block IP addresses that send 30 HTTP request to your /api/checkusername API in a minute.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.