Is it legal to brute force my own Ory Kratos website.

[westdemon]

I need to stimulate a brute force attack on the current website that I am working on. I am currently using the Ory Network inbuilt website creator, not the APIs. I plan to use the Hydra tool and Kali Linux to stimulate this attack. I want to know if this is illegal or do I need to create and host my own website using the Ory Kratos APIs. I am a studying cybersecurity student in Singapore and this is part of my school project.

[vinckr]

Hello @westdemon

are you looking to hunt on our bug bounty program?

See here for more information on that: https://www.ory.sh/docs/ecosystem/security#ory-bug-bounty-program, look at "Probihited Activities" please.

[westdemon]

Im just using it for a cybersecurity project, not planning to go any further. Just need to show that the open source tool Ory Kratos network
works against a brute force attack. I dont plan to sign u-p for any hunt or bug bounty program.

[vinckr]

Hello @westdemon

Quoting from Ory security docs:

Ory Network provides Ory Identities with protection against brute-force attacks by rate limiting requests to API public endpoints, for example login and registration endpoints.
When using Ory Network, these defenses are provided as part of the platform's security infrastructure.
When self-hosting the Ory Kratos Identity Server, it's the responsibility of the administrator to implement and manage rate limiting or other measures to ensure the security of the network.

To be clear, are you planning to use Ory Network or self-host Ory Kratos?

[aeneasr]

It is legal if you do it on your own infrastructure and not against the hosted version that runs on our domains (oryapis.com or ory.sh or ory.net).