dqqxkq4047 2016-02-04 20:27
浏览 35
已采纳

蛮力对抗措施无效?

Hello everyone sorry to bother but I've been for ages trying to figure out why my brute force countermeasures aren't working according to my offline security scanner. It keeps firing random user/pass combinations even when my code works like this:

PAGE A (UNSENSITIVE AREA) Main.php A CSRF & Captcha protected form waits for user input. If no CSRF attack detected, valid captcha and destination is selected (there are 3 pages that might be destination OR Login) the form leads you to for example to page B login as follows:

PAGE B LOGIN.php This page reads Referer, if valid according to my programming does as follows: Common form user/pass/captcha/csrf key checked against database;

if($userisfound==1)
{
echo 'welcome to our site';
}       
else { 
$_SESSION['attempt'] = (!$_SESSION['attempt']) ? 0 : $_SESSION['attempt'];
if($_POST['username']){$_SESSION['attempt']++;}
if($_SESSION['attempt'] > 20) 
{header('location:isolated.php');exit;}
}

PAGE C ISOLATED.php

<?php session_start(); session_unset(); session_destroy();
sleep(99999);
header(location:http://www.thanks.ty);
die;
?>

Please can you guys assess me in what am I doing wrong? Thank you very much in advance!

  • 写回答

1条回答 默认 最新

  • doufu9145 2016-02-04 20:53
    关注

    Problems:

    #1: You're using session cookies

    You're basing it off sessions without blocking a specific IP. Sessions are connected to a client by a session cookie, if they delete this, then the session doesn't exist and therefore the attempts don't. Most vulnerability scanners won't keep session cookies. attempts.

    #2: You unset the session on isolated.php

    Essentially what happens is isolated.php just runs on your server and it doesn't hault the client at all. The client doesn't have to wait for the page to load before attempting to load another page after that. Essentially, it just wastes time on your server and nothing else.

    What should you do?

    1. Grab the user IP (Plenty of tutorials around for that)
    2. Create a SQL database to store attempts based off IP. Essentially run UPDATE attempts SET attempts=attempts+1 WHERE ip = [THE_IP] every time there is an incorrect attempt at a user or user INSERT if there is no attempts already.
    3. Query the database to check if there is the current user IP > 20 attempts.
    4. Block the user if there is more than 20 attempts based off the info in the DB.
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 这是哪个作者做的宝宝起名网站
  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!