Lack of protection against brute force attacks - Credentials
Need
Implementation of a robust and secure mechanism to prevent brute force attacks on promotional codes.
Context
• Usage of Ruby 2.7.0 as the programming language for development
• Usage of Ruby on Rails for web application development
Description
1. Non compliant code
class PromoCodesController < ApplicationController
  def validate_code
    code = params[:code]
    promo_code = PromoCode.find_by(code: code)
    if promo_code
      render json: { valid: true, discount: promo_code.discount }
      render json: { valid: false }...In the above code, there is a `validate_code` method in the `PromoCodesController` which is used to validate if the provided promotional code is valid or not. The method takes a `code` parameter from the request, and then it tries to find a promotional code in the database that matches the provided code. If a matching promotional code is found, the method responds with a JSON object indicating that the code is valid and also includes the discount associated with the code. If no matching code is found, the method responds with a JSON object indicating that the code is invalid. The vulnerability here is that there are no protections in place against brute force attacks. An attacker could potentially automate requests to this endpoint with different codes until they find a valid one. There are no rate limiting or captcha mechanisms in place to prevent or slow down such automated attacks.
2. Steps
• Implement rate limiting to prevent multiple login attempts within a short period of time.
• Implement account lockout after a certain number of failed login attempts.
• Use strong and unique passwords for user accounts.
• Implement two-factor authentication to add an extra layer of security.
• Implement CAPTCHA or reCAPTCHA to prevent automated attacks.
• Implement a delay or exponential backoff mechanism to slow down brute force attacks.
• Monitor and log failed login attempts to detect and respond to potential attacks.
• Regularly update and patch the application and its dependencies to fix any security vulnerabilities.
• Educate users about the importance of using strong passwords and avoiding password reuse.
3. Secure code example
class PromoCodesController < ApplicationController
  before_action :check_rate_limit, only: [:validate_code]
  def validate_code
    code = params[:code]
    promo_code = PromoCode.find_by(code: code)
      render json: { valid: true, discount: promo_code.discount }...The updated code now includes a `before_action` filter that checks the rate limit before the `validate_code` action is executed. This filter is defined in the `check_rate_limit` private method. In the `check_rate_limit` method, we first get the client's IP address. We then define a limit for the number of requests (5 requests) and a period for the limit (60 seconds). We use Rails' caching mechanism to store the number of requests from each IP address. If the cache for the IP address does not exist, we initialize it with 0. If the number of requests from the IP address has reached the limit, we return a 'Too many requests' error with a 429 status code (Too Many Requests). If the limit has not been reached, we increment the count in the cache. This way, we limit the number of requests to the `validate_code` action from each IP address to 5 requests per minute, effectively preventing brute force attacks.