[OWASP_PHPSEC] isBruteForce ?

Shivam Dixit shivamd001 at gmail.com
Wed Sep 4 10:04:31 UTC 2013


Hello rahul,

Thanks. Nice point.

However I am assuming that a real user *cannot* make two consecutive
requests *within 1 second* so I set the value of bruteForceLockTimePeriod to
1 sec. Because once the request is sent, he will have to wait for reply and
then type in password again and then again make a request, so essentially
this whole process will require more time than 1 second for a real user
(just an assumption, correct me if I am wrong).

Secondly I am defining bruteForceLockAttemptTotalTime to 25 which means
that if 5 consecutive attempts are carried out within 25 seconds then it is
also brute force.
I have added FIRST_LOGIN_ATTEMPT to implement this funcitionality in an
efficient way. FIRST_LOGIN_ATTEMPT will help us to determine which requests
will be considered in a group. For example :

Total count = 0

I make a request at 0th second.     //I will store first login attempt time.
Total count = 1

then a request at 2nd second.      //By passing the first condition to
check BruteForce.
Total count = 2

another at 4th second.
Total count = 3

and so on..... my condition, apart from checking time between two
consecutive conditions is :

if total count is less than  5
update total count
update last_login_attempt
return false

if total count == 5 and *present request time minus first request
time* is *less
than 25* seconds then it will be brute force.

else
I will update *first login attempt time as time of this request*, and
update other values as you were doing before and return false.

Essentially I am trying to group requests, so that I can find of time of
the first request of the group and the last request of that group , if that
is higher than our allowed time then we will flag brute force. Groups will
be made only when request are done in short time. Otherwise we will reset
our group. Hence we require first login attempt and keep updating that value

Result : This filter will reduce lot of false positives as well as increase
time of brute force attempts to such extent that it becomes practically not
feasible to make a successful brute force attempt.

PS: I have fixed a small condition after I made a pull request, now my new
conditions are exactly what I am looking for.

To make things more practical :
Instead of isBruteForce function just returning boolean, can we return an
integer to define level of an attack ? Say return 0 , return 1 or return 2
, where 0, 1, and 2 define the level of attack.

Explanation:
return 'x' :
x:
0 : not brute force.
1 : two attempts made within 1 second (or whatever value).
Result : Developer must show captcha if he recieves 1.

2 : *No of attempts* made are very high in short time (5 attempts within 25
seconds or whatever value).
Result : He must block account temporarily for 15 minutes.

Benefit of above approach to isBruteForce ?
We will have more customized control.

Suggestions are welcome. Rahul please take a look at my update code :
https://github.com/shivamdixit/phpsec/commit/c0fcc9c8c244d028ba9102a8492bdaac7df12073


Also I am new to this library kind of things. So please advice me that how
should I test my code without having any view of application or complete
application to run and test ? Syntax check as well as how to check if my
application is logically correct.



On Wed, Sep 4, 2013 at 12:26 AM, rahul chaudhary <
rahul300chaudhary400 at gmail.com> wrote:

> Intresting point...nice dude.. :)
>
> but let us see....4 attempts in 5 sec...and that would be the bot
> limit....remember, we are not trying to prevent the bot to NOT guess the
> passwords...we want to minimize the attempts they can make so that password
> guessing is not possible in real time...
>
> The max attempt is actually limiting the bot to guess only that much
> password in the "two consecutive password time limit".
>
> But your point actually brings my attention towards one thing...suppose
> the time between two attempts is very large...say 5 sec..and the max
> attempts are also large...say 1000...then the bot can make 999 requests in
> 4.99 sec...in which case it is a problem...
>
> But if we go by your solution, then for the legit cases, we will get a lot
> of false positives...here is how....two consecutive attempts are made in 5
> sec...so that would flag a brute force, when actually its not...its just
> two attempts...no need to worry the developers for this small case.....
>
>
-- 
*Cheers,*
*Shivam*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130904/ad043237/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list