dqqxkq4047 2016-02-04 20:27
浏览 35
已采纳

蛮力对抗措施无效?

Hello everyone sorry to bother but I've been for ages trying to figure out why my brute force countermeasures aren't working according to my offline security scanner. It keeps firing random user/pass combinations even when my code works like this:

PAGE A (UNSENSITIVE AREA) Main.php A CSRF & Captcha protected form waits for user input. If no CSRF attack detected, valid captcha and destination is selected (there are 3 pages that might be destination OR Login) the form leads you to for example to page B login as follows:

PAGE B LOGIN.php This page reads Referer, if valid according to my programming does as follows: Common form user/pass/captcha/csrf key checked against database;

if($userisfound==1)
{
echo 'welcome to our site';
}       
else { 
$_SESSION['attempt'] = (!$_SESSION['attempt']) ? 0 : $_SESSION['attempt'];
if($_POST['username']){$_SESSION['attempt']++;}
if($_SESSION['attempt'] > 20) 
{header('location:isolated.php');exit;}
}

PAGE C ISOLATED.php

<?php session_start(); session_unset(); session_destroy();
sleep(99999);
header(location:http://www.thanks.ty);
die;
?>

Please can you guys assess me in what am I doing wrong? Thank you very much in advance!

  • 写回答

1条回答 默认 最新

  • doufu9145 2016-02-04 20:53
    关注

    Problems:

    #1: You're using session cookies

    You're basing it off sessions without blocking a specific IP. Sessions are connected to a client by a session cookie, if they delete this, then the session doesn't exist and therefore the attempts don't. Most vulnerability scanners won't keep session cookies. attempts.

    #2: You unset the session on isolated.php

    Essentially what happens is isolated.php just runs on your server and it doesn't hault the client at all. The client doesn't have to wait for the page to load before attempting to load another page after that. Essentially, it just wastes time on your server and nothing else.

    What should you do?

    1. Grab the user IP (Plenty of tutorials around for that)
    2. Create a SQL database to store attempts based off IP. Essentially run UPDATE attempts SET attempts=attempts+1 WHERE ip = [THE_IP] every time there is an incorrect attempt at a user or user INSERT if there is no attempts already.
    3. Query the database to check if there is the current user IP > 20 attempts.
    4. Block the user if there is more than 20 attempts based off the info in the DB.
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度