Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I prevent bulk vulnerability scanning without using a CAPTCHA component?

Tags:

security

How can I prevent that forms can be scanned with a sort of massive vulnerability scanners like XSSME, SQLinjectMe (those two are free Firefox add-ons), Accunetix Web Scanner and others?

These "web vulnerability scanners" work catching a copy of a form with all its fields and sending thousands of tests in minutes, introducing all kind of malicious strings in the fields.

Even if you sanitize very well your input, there is a speed response delay in the server, and sometimes if the form sends e-mail, you vill receive thousands of emails in the receiver mailbox. I know that one way to reduce this problem is the use of a CAPTCHA component, but sometimes this kind of component is too much for some types of forms and delays the user response (as an example a login/password form).

Any suggestion?

Thanks in advance and sorry for my English!

like image 929
backslash17 Avatar asked Mar 01 '23 18:03

backslash17

2 Answers

Hmm, if this is a major problem you could add a server-side submission-rate limiter. When someone submits a form, store some information in a database about their IP address and what time they submitted the form. Then whenever someone submits the form, check the database to see if it's been "long enough" since the last time that IP address submitted the form. Even a fairly short wait like 10 seconds would seriously slow down this sort of automated probing. This database could be automatically cleared out every day/hour/whatever, you don't need to keep the data around for long.

Of course someone with access to a botnet could avoid this limiter, but if your site is under attack by a large botnet you probably have larger problems than this.

like image 55
Chad Birch Avatar answered Apr 09 '23 12:04

Chad Birch

On top the rate-limiting solutions that others have offered, you may also want to implement some logging or auditing on sensitive pages and forms to make sure that your rate limiting actually works. It could be something simple like just logging request counts per IP. Then you can send yourself an hourly or daily digest to keep an eye on things without having to repeatedly check your site.

like image 33
Rob Hruska Avatar answered Apr 09 '23 12:04

Rob Hruska
Sign in to Comment

Related questions

PCI compliance (PCI DSS) for Front End
Can an attacker use inspect element harmfully?
How to generate PublicKey from String Java
How Secure is Firebase Real-time (Online) database for Android?
Sharing AWS Account Number (for External ID)
What is the ARN of an assumed role assumed by a Lambda function?
Is JWT claim name case-sensitive?
How to Allow Google fonts in IdentityServer4
How to properly handle secrets in a local.settings.json file when adding the function source code to a source control repository
X509Certificate2 Constructor Throwing There is not enough space on the disk
Remove all metadata from an image on the command line
How to use HostnameVerifier?
Unquoted expression injection bash
IDX10503: Signature validation failed. Token does not have a kid. Keys tried: 'System.Text.StringBuilder'
Storing Username/Password During Processing
How do I programmatically change the security attributes of a file so that any user can delete the file
Should I give a client a SQL Server login with the 'db_owner' role? [closed]
LoginStatus for ASP.Net MVC?
Mixing security logic with models in Ruby on Rails?
"Safely" allow users to search with SQL

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!