No restriction on password attempts allows for brute-force attacks

[vityuasd]

Data

• Shiori version: 1.7.4 and earlier
• Database Engine: SQLite
• Operating system:windows docker

Describe the bug / actual behavior

No restriction on password attempts allows for brute-force attacks.

Expected behavior

Brute-force until successful login.

To Reproduce

1. Navigate to the login page.
2. Capture the login POST request with Burp Suite.
3. Use the Intruder tool to perform the brute-force attack.

Screenshots

[mirkoperillo]

In my opinion there are other tools (like to fail2ban for example, or a reverse proxy) that can be used to monitor this misbehavior.

The codebase of shiori should implement only the features strictly related to its scope (bookmark management).

My 2 cents.

[vityuasd]

@mirkoperillo Really appreciate you sharing your thoughts.

I totally get that tools like failp2ban are super useful for tech-savvy users, but if we only depend on external solutions, we're kinda putting the security responsibility on everyday users — and let's be honest, most folks might not even know this is a risk or how to set things up properly.

That's why even basic protection, like limiting login attempts, should be a must for pretty much any web app, especially if it deals with user data.

I mean, just look at standards like CWE-307 (you know, the one called "Improper Restriction of Excessive Authentication Attempts"). It shows this isn't some rare edge case, but a real and widely recognized security requirement.

Thanks again for your reply!

[mirkoperillo]

@vityuasd thank you for the resources you linked here, very interesting.

I have to say I'm not entirely convinced. In such a way it is the same thing of https: every service should be protected by https nowadays it is an hard requirement, but normally you obtain this using nginx, caddy or other reverse proxy to avoid to write and maintain this feature in your codebase.

However, I'm just a shiori user like you and the last word rests with the project maintainer.