Security Tip: Don't Forget Your Registration Form!
[Tip#72] We talk a lot about protecting password reset and login forms, but don't forget about the humble registration form... it can provide attackers with crucial intel!
I was procrastinating browsing Twitter and came across this wonderful meme:
In the first panel we have what is presumably a login form error message, giving an ambiguous message to obfuscate which input is incorrect:
“Error. Either your email or password is incorrect.”
Followed by the response from the registration form, which confirms the email address is in the database:
Register > Enter Email: ”Sorry that email is taken.”
AH, it’s the password.
Upon seeing this, my first reaction was…
This is why ambiguous messaging on password reset forms is usually pointless.
Folks spend so much time worrying about the password reset form leaking account existence and ensuring it has rate limiting, but what about the humble registration form?
Not only does it tell you if an email address is already in the database1, but it often lacks rate limiting2, and it doesn’t send out any emails3, so you can often use this to check if email addresses are in the database faster and quieter than a password reset form.
So this week, I want you to remember your humble registration form!
Ensure it has rate limiting that includes any validation failures.
If account attacks or credential stuffing is a concern, log those validation failures so you’re aware of malicious activity.
If the existence of email addresses is supposed to be secret, don’t validate emails on the registration form.4
Looking to learn more?
⏩ Security Tip #53: Bypassing CSRF Protection with File Uploads
▶️ In Depth #18: "Th1nk Lik3 a H4cker" Walkthrough (part 1)
👉 Looking to dive deeper into Laravel security? Check out Practical Laravel Security, my hands-on security course that uses interactive hacking challenges to teach you about how vulnerabilities work, so you can avoid them in your own code. 🕵️
👉 Worried about your app being hacked? Book in a Laravel Security Audit and Penetration Test! I can find the vulnerabilities before a hacker does, and help you fix them. 🕵️
Unique email addresses are a pretty standard requirement for online accounts, for obvious reasons, so it’s normal for registration forms to leak this information. ↩
Or at least has less than the password reset route. ↩
In fact, password reset attempts are often logged and monitored for any suspicious activity, in addition to sending out lots of emails, but simple validation errors are usually completely ignored. ↩
Most apps don’t actually need to worry enumeration attacks like this, as user existence doesn’t reveal anything compromising, and the only benefit is to slow down credential stuffing attacks.
However, if your app does need to protect user identities, your registration form shouldn’t validate email addresses. Instead, it should collect all the information and email the address - either to inform the existing account owner of the attempt, or to confirm ownership of the address and continue the registration flow. We can cover this topic in a future In Depth, if there is any interest in it? ↩
