After submitting one anonymous review, submitting another requires a captcha to be solved. The challenge is to bypass this captcha and create multiple anonymous reviews e.g. in a short time period. This could be coupled with a Rate Limiting for submitting reviews allowing two tiers for the challenge:
For the actual captcha either an existing library with known vulns could be used, or one that can be misconfigured. Alternatively a proprietary weak captcha could be written, e.g. relying on cookies or some session/local storage.
Is it not possible to post more than 1 product review within 10 seconds even if we have captcha ?
Yeah, you're right, we can't really measure the Captcha bypass by reviews per time, can we? Other ideas?
If we ask for a number of reviews per minute _slightly below_ the Rate Limiting for Tier 1 and _significantly above_ for Tier 2,that would work. But the Rate Limit must be very restrictive, otherwise people flood their servers with reviews and I don't know if MarsDB survives that... 馃榾
As captchas are used for defeating automated scripts after attacker have some way to bypass rate limit in real life and as we already have rate limit bypass fun, I suggest we just implement captcha bypass and check the solution based on the method to bypass instead of implementing Tier 2 challenge. I was looking into some recent bug reports like :
In realistic scenario if someone is not using Google reCaptcha, this type of vulnerabilities occur. First flaw occurs many times and will be good for us. What do you think?
Also we can implement classic front-end check flaw by sending captcha answer to client.
I like https://hackerone.com/reports/229584 a lot. Gives us a good 3- or 4-star challenge.
and we will verify the solution based on reviews per time? 10 reviews per 5 second will be fine. I will have to check time taken for python requests module for 1 request. Other languages will do fine. Right?
Other language? For what? You mean to actually perform the attack? There people can use what they want. For e2e testing we should stick to Javascript/Protractor.
Yea I meant to say , is 10 or more reviews per 5 sec a good solution? Because they will also have to request review page for the captcha 10 times and issue the req. That will take time more than 5 sec maybe.
Well, the idea is to force them to automate/script that, so it should be no problem, right? Alternatively someone could open 10 tabs and prepare everything and send them really quickly in 0,5sec per tab... :rofl:
Stuck at captcha verification at backend !. POST request containing feedback and captcha answer goes to /api/Feedbacks/ and which is handled by epilogue and directly inserted in DB I guess. Am not familiar with epilogue. Any suggestion on how it can be done ? or front end check of captcha answer is also good if its not possible with epilogue ?
I think you could put another route handler before the definition for epilogue, similar to the access control handlers for the models. If that blocks, the request won't reach epilogue so nothing ends up in database.
See server.js lines 126 ff. For example insecurity.denyAll() blocks requests.
Added captcha in #467. Will add challenge soon. Any suggestions on way to verify the solution of this challenge ?
No, if your route doesn't send a response it will basically tumble through to the next responsible handler. And that should be epilogue then!
Added Challenge in #480.
This thread has been automatically locked because it has not had recent activity after it was closed. :lock: Please open a new issue for regressions or related bugs.