[OWASP_PHPSEC] isBruteForce ?
rahul300chaudhary400 at gmail.com
Tue Sep 3 15:51:12 UTC 2013
The function definition and the comments, both are correct.
It is written that the failed login attempt will be CONSIDERED for an
attack, not declared that it IS AN ATTACK. Once marked, another value is
checked, i.e the total login attempts. After checking both the values, we
can make correct decision.
Note: My method reduces false positives.
On Mon, Sep 2, 2013 at 10:41 AM, Shivam Dixit <shivamd001 at gmail.com> wrote:
> I have posted the issue on github issue list. I have also made an attempt
> to patch the issue and made a pull request on github. I am not certain
> about the values of the constants "bruteForceLockTimePeriod" and
> "bruteForceLockAttemptTotalTime" as *I don't have stats*. Please give
> your opinions on value of the constants mentioned above.
> According to my definition firstly we will check if time between two
> consecutive request is less than *bruteForceLockTimePeriod*, if so it
> will be brute force. Secondly I am testing that if total number of request
> are more than or equal to *bruteForceLockAttempts* and time is less than *bruteForceLockAttemptTotalTime
> *(I have introduced this variable) then also it will be a brute force. So
> we are handling both the situations separately.
> Please correct me if I am thinking wrong.
> On Mon, Sep 2, 2013 at 5:48 PM, Abbas Naderi <abiusx at owasp.org> wrote:
> It must be wrong then. File an issue in GitHub for Rahul to deal with it.
> *Shivam Dixit*
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP_PHP_Security_Project