如何在不使用 CAPTCHA 组件的情况下防止批量漏洞扫描? [英] How can I prevent bulk vulnerability scanning without using a CAPTCHA component?

问题描述

如何防止表单被 XSSME、SQLinjectMe(这两个是免费的 Firefox 附加组件)、Accunetix Web Scanner 等大型漏洞扫描程序扫描?

How can I prevent that forms can be scanned with a sort of massive vulnerability scanners like XSSME, SQLinjectMe (those two are free Firefox add-ons), Accunetix Web Scanner and others?

这些Web 漏洞扫描程序"可以捕获包含所有字段的表单副本，并在几分钟内发送数千个测试，在字段中引入各种恶意字符串.

These "web vulnerability scanners" work catching a copy of a form with all its fields and sending thousands of tests in minutes, introducing all kind of malicious strings in the fields.

即使您对您的输入进行了很好的清理，服务器中也存在速度响应延迟，有时如果表单发送电子邮件，您将在接收方邮箱中收到数千封电子邮件.我知道减少这个问题的一种方法是使用 CAPTCHA 组件，但有时这种组件对于某些类型的表单来说太多了，并且会延迟用户响应(例如登录/密码表单).

Even if you sanitize very well your input, there is a speed response delay in the server, and sometimes if the form sends e-mail, you vill receive thousands of emails in the receiver mailbox. I know that one way to reduce this problem is the use of a CAPTCHA component, but sometimes this kind of component is too much for some types of forms and delays the user response (as an example a login/password form).

有什么建议吗?

提前致谢，对不起我的英语！

Thanks in advance and sorry for my English!

推荐答案

回顾所有答案 我已经为我的案例定制了一个解决方案，每个解决方案都有一点:

Reviewing all the answers I had made one solution customized for my case with a little bit of each one:

我再次检查了已知漏洞扫描程序的行为.他们加载页面一次，并根据收集到的信息开始提交，使用恶意脚本更改字段的内容，以验证某些类型的漏洞.

I checked again the behavior of the known vulnerability scanners. They load the page one time and with the information gathered they start to submit it changing the content of the fields with malicious scripts in order to verify certain types of vulnerabilities.

但是:如果我们签署表格怎么办?如何?使用存储在 Session 对象中的随机内容创建一个隐藏字段.如果该值被提交超过 n 次，我们只需再次创建它.我们只需要检查它是否匹配，如果它不只是采取我们想要的行动.

But: What if we sign the form? How? Creating a hidden field with a random content stored in the Session object. If the value is submitted more than n times we just create it again. We only have to check if it matches, and if it don't just take the actions we want.

但我们可以做得更好:为什么要更改字段的值，我们随机更改字段的名称?是的，随机更改字段名称并将其存储在会话对象中可能是一个更棘手的解决方案，因为表单总是不同的，并且漏洞扫描程序只加载一次.如果我们没有获得具有存储名称的字段的输入，我们就不会处理表单.

But we can do it even better: Why instead to change the value of the field, we change the name of the field randomly? Yes changing the name of the field randomly and storing it in the session object is maybe a more tricky solution, because the form is always different, and the vulnerability scanners just load it once. If we don’t get input for a field with the stored name, simply we don't process the form.

我认为这可以节省大量的 CPU 周期.我正在使用问题中提到的漏洞扫描程序进行一些测试，它运行良好！

I think this can save a lot of CPU cycles. I was doing some test with the vulnerability scanners mentioned in the question and it works perfectly!

好吧，非常感谢你们所有人，正如之前所说，这个解决方案是通过每个答案的一点点做出的.

Well, thanks a lot to all of you, as a said before this solution was made with a little bit of each answer.

这篇关于如何在不使用 CAPTCHA 组件的情况下防止批量漏洞扫描?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！