Hello everyone sorry to bother but I've been for ages trying to figure out why my brute force countermeasures aren't working according to my offline security scanner. It keeps firing random user/pass combinations even when my code works like this:
PAGE A (UNSENSITIVE AREA) Main.php A CSRF & Captcha protected form waits for user input. If no CSRF attack detected, valid captcha and destination is selected (there are 3 pages that might be destination OR Login) the form leads you to for example to page B login as follows:
PAGE B LOGIN.php This page reads Referer, if valid according to my programming does as follows: Common form user/pass/captcha/csrf key checked against database;
if($userisfound==1)
{
echo 'welcome to our site';
}
else {
$_SESSION['attempt'] = (!$_SESSION['attempt']) ? 0 : $_SESSION['attempt'];
if($_POST['username']){$_SESSION['attempt']++;}
if($_SESSION['attempt'] > 20)
{header('location:isolated.php');exit;}
}
PAGE C ISOLATED.php
<?php session_start(); session_unset(); session_destroy();
sleep(99999);
header(location:http://www.thanks.ty);
die;
?>
Please can you guys assess me in what am I doing wrong? Thank you very much in advance!