search

OWASP / phpsec

OWASP PHP Security Project - THIS PROJECT IS INACTIVE AND MAY CONTAIN SECURITY FLAWS
197 stars 103 forks source link

brute force detection for time based bots #85

Closed mebjas closed 8 years ago

mebjas commented 10 years ago

I have a small doubt In adv_password lib in auth section the function isBruteForce() checks for no of attempts in small period of time to declare it brute force or not. But what if I set my bot to send request permissible under the given condition (of time)? and run it for a long time to get correct credentials?

Has it not been implemented because these type of attacks will take too much time to crack password making it less feasible?

Correct me wherever I'm wrong :)

abiusx commented 10 years ago

Even if we stop that, you can use other IPs. Its not about stopping it, its about making it harder, with least effort. -A

Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Feb 19, 2014, at 5:14 PM, minhaz notifications@github.com wrote:

I have a small doubt In adv_password lib in auth section the function isBruteForce() checks for no of attempts in small period of time to declare it brute force or not. But what if I set my bot to send request permissible under the given condition (of time)? and run it for a long time to get correct credentials?

Has it not been implemented because these type of attacks will take too much time to crack password making it less feasible?

Correct me wherever I'm wrong :)

— Reply to this email directly or view it on GitHub.

mebjas commented 10 years ago

One more thing just came to my mind... We have a function that identifies a brute-force attack but what then, one thing is developer has to call this function each time to check if brute force attack was attempted then he has to apply his own methods to do later operations. Shouldn't it be part of library to provide actions when brute force is detected?

abiusx commented 10 years ago

A basic kind of action, should be provided. Like an HTTP status and killing the process. But it should allow overriding. -A

Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Feb 23, 2014, at 11:14 AM, minhaz notifications@github.com wrote:

One more thing just came to my mind... We have a function that identifies a brute-force attack but what then, one thing is developer has to call this function each time to check if brute force attack was attempted then he has to apply his own methods to do later operations. Shouldn't it be part of library to provide actions when brute force is detected?

— Reply to this email directly or view it on GitHub.