Hello everyone sorry to bother but I've been for ages trying to figure out why my brute force countermeasures aren't working according to my offline security scanner. It keeps firing random user/pass combinations even when my code works like this:
PAGE A (UNSENSITIVE AREA) Main.php A CSRF & Captcha protected form waits for user input. If no CSRF attack detected, valid captcha and destination is selected (there are 3 pages that might be destination OR Login) the form leads you to for example to page B login as follows:
PAGE B LOGIN.php This page reads Referer, if valid according to my programming does as follows: Common form user/pass/captcha/csrf key checked against database;
if($userisfound==1)
{
echo 'welcome to our site';
}
else {
$_SESSION['attempt'] = (!$_SESSION['attempt']) ? 0 : $_SESSION['attempt'];
if($_POST['username']){$_SESSION['attempt']++;}
if($_SESSION['attempt'] > 20)
{header('location:isolated.php');exit;}
}
PAGE C ISOLATED.php
<?php session_start(); session_unset(); session_destroy();
sleep(99999);
header(location:http://www.thanks.ty);
die;
?>
Please can you guys assess me in what am I doing wrong? Thank you very much in advance!
You're basing it off sessions without blocking a specific IP. Sessions are connected to a client by a session cookie, if they delete this, then the session doesn't exist and therefore the attempts don't. Most vulnerability scanners won't keep session cookies. attempts.
isolated.phpEssentially what happens is isolated.php just runs on your server and it doesn't hault the client at all. The client doesn't have to wait for the page to load before attempting to load another page after that. Essentially, it just wastes time on your server and nothing else.
UPDATE attempts SET attempts=attempts+1 WHERE ip = [THE_IP] every time there is an incorrect attempt at a user or user INSERT if there is no attempts already.