Hello António. Bruteforce in login is a common weakness that can be easy to solve.
The most effective solution is implementing a CAPTCHA, in web2py I use google recaptcha because the implementation is easy and stops all the automations. In py4web I'm still unable to implement it in the login form and there is no to much information about how to make it. In web2py I'm quite sure that it is not possible to submit the same form twice because it has a csrf token or similar so the bruteforce is not that simple like repeating the login post. If a script resends the same post will be not processed due the token is reused. In py4web forms have csrftoken but I'm not sure if they work the same like in web2py. Months ago it was possible to resend twice the same post data and accepted. I haven't tested in those days, but I will, because it is something that makes noise. In my experience an account lockout policy is effective but very annoying to the users. I would not say that brute force in login forms is a big task and consumes too much CPU. These functions usually are small and make small queries to the database. Most of the time a public endpoint like index or a landing page can consume more CPU than the login task. Greetings. Chris. El jue, 16 nov 2023 a las 14:32, António Ramos (<[email protected]>) escribió: > Hello friends, i guess this is a similar issue between web2py and py4web > so im posting to both groups. Sorry if im abusing ... > > We had a cibersecurity audit in our web2py app and they found this issue > > QUOTE > During > the application audit process, it was possible to identify that the the > company portal does not implement the restriction of > blocking accounts due to invalid login attempts This allows an attacker to > use brute force attacks to attempt a valid credential indefinitely > > *Recommendation* > We > recommend implementing account lockout policies for invalid login > attempts, as well as captcha and multi factor > authentication ( mechanisms, as well as session timeouts to log out a user > who has been inactive on the system for > some time > UNQUOTE > > I already activated the mfa in my app but it only works if the password is > correct. > An attacker trying to guess the password could have a forever loop trying > to login and it can stress the sever CPU. > > Any comments on this ? > > Regards > António > > > -- > You received this message because you are subscribed to the Google Groups > "py4web" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/py4web/CAEM0BxN7fY6Ymy8Fihb7UKWarT%2B9CsuQnH%3D9tYo1JFSFVH%2BgdA%40mail.gmail.com > <https://groups.google.com/d/msgid/py4web/CAEM0BxN7fY6Ymy8Fihb7UKWarT%2B9CsuQnH%3D9tYo1JFSFVH%2BgdA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/CA%2Bs%2BuJtjPvFYEPwoy9r19bARLmsoN4fk6Rbeirxb%2BFkX6Uh49A%40mail.gmail.com.
