Geek Answers Handbook

How can I prevent scanning of a common vulnerability without using the CAPTCHA component?

How can I prevent these forms from being scanned with massive vulnerability scanners such as XSSME, SQLinjectMe (these two are free add-ons for Firefox), Accunetix Web Scanner and others?

These "vulnerability scanners on the Internet" catch a copy of a form with all its fields and send thousands of tests in minutes, entering all kinds of malicious lines in the fields.

Even if you sanitize your input very well, there is a delay in the response speed on the server, and sometimes, if the form sends e-mail, you receive thousands of letters in the recipient's mailbox. I know that one of the ways to reduce this problem is to use the CAPTCHA component, but sometimes this kind of component is too much for some types of forms and delays the user's response (as an example of a login / password form).

Any suggestion?

Thanks in advance and sorry for my English!

+4
source share
5 answers

After reviewing all the answers, I made one solution, configured for my case, with a small amount of each of them:

I again checked the behavior of known vulnerability scanners. They load the page once and with the collected information begin to enter it, changing the contents of the fields using malicious scripts to check certain types of vulnerabilities.

But: What if we sign the form? How? Create a hidden field with random content stored in a Session object. If the value is presented more than n times, we simply create it again. We only need to check if it is consistent, and if it does not just take the necessary actions.

But we can do it even better: why instead of changing the value of the field, do we arbitrarily change the name of the field? Yes, changing the field name in a random order and saving it in the session object is a more complicated solution, because the form is always different, and vulnerability scanners simply load it once. If we do not get input for the field with the saved name, we just do not process the form.

I think this can save a lot of CPU cycles. I tested the vulnerability scanners mentioned in the question and it works great!

Well, thanks you all for , as stated above, before this decision was made with a small amount of each answer.

0
source

Hmm, if this is a serious problem, you can add a send speed limiter on the server side. When someone submits the form, store some information in the database about their IP address and at what time they submitted the form. Then, whenever someone submits a form, check the database to see if it is "long enough" since the last time it accessed this IP address. Even a rather short wait, such as 10 seconds, will seriously slow down such automatic sensing. This database can be automatically cleaned every day / hour / regardless of whether you need to store data for a long time.

Of course, someone who has access to the botnet can avoid this restrictor, but if your site is attacked by a large botnet, you are likely to have more problems than this.

+5
source

Theres only so much you can do ... "Where everything will be alright", all you want the user to do is to automate and abuse. You need to find a median in development and drop a few things that can complicate the abuse.

One thing you can do is sign the form with a hash, for example, if you can do this to send a message to another user:

hash = md5(userid + action + salt)

then when you actually process the answer you make

 if (hash == md5(userid + action + salt))

This allows an attacker to enter 1000 user IDs and easily send spam to your system. Its just another loop for an attacker to jump over.

I like to hear the methods of other nations. CAPTCHAs should be used at entry points such as registration. And the above method should be used for actions on specific things (messaging, voting, ...).

you can also create a flag system, and all that the user does X times in X of the time, which may look suspicious, should point to the user and make them CAPTCHA (after entering them, they are no longer marked).

+1
source

At the top of the speed limit solutions that others have suggested, you can also implement some logging or auditing on sensitive pages and forms to make sure that the speed limit really works. It could be something simple, like just counting logging requests for each IP address. Then you can send hourly or daily digests to keep track of things without having to revise your site.

+1
source

This question is not quite the same as other questions about captchas, but I think you should read them if you have not done so already. "Honey Pot Captcha" sounds like it might work for you.

+1
source

More articles:


All Articles