0

I know how to implement token based authentication. But my concern is user actions like register,login or verify, against attacking bots. I can imagine a bot making requests through fake phone numbers and my SMS or mail server will respond all of them! Or thousands of registered users are in users table in database which they are fake and not verified. I know some firewall strategies to block these type of attacks and traffics in network layer. But is possible to secure "unauthenticated" HTTP actions with Captcha code or another way?

If yes, how can send captcha image from API Server to client? in RAW? if send Captcha is possible then how can find which captcha is for which client? Session can helpful?

Thanks for your attention.

Vahid Alimohamadi
  • 4,900
  • 2
  • 22
  • 37

1 Answers1

2

You could implement a form of CSRF (Cross site request forgery) trapping to avoid this. I use a combination of CSRF and honeypot fields. Here is the basic rundown:

  1. The server populates a field via a hidden-type input tag containing a value which is set on the fly and stored on the server as a session variable.
  2. The form also contains a textfield (type="text" or textarea) that is hidden using CSS.
  3. When the form us posted, the hidden value (CSRF) token must match the saved Session version, and
  4. The honeypot field must be empty.

If the tests fails, I respond with a 401 or 404

Reg bots will usually fill honeypot fields, and some are smart enough to circumvent CSRF - I log all attempts that fail these tests and capture quite a few bot attempts.

RichGoldMD
  • 1,252
  • 1
  • 10
  • 18
  • Imagine i have a web interface on another server for user registration. With a quick look on source code of HTML and JS, an attacker can prepare to make effective attack. – Vahid Alimohamadi Aug 21 '17 at 23:47
  • 1
    That is always the case. The goal is to reduce, as much as possible, the false entries. In my case, the CSRF field name as well as the value change on every iteration. The honey pot field does not change. Many reg bots post without inspecting the form more than once, they just repeatedly send POSTs. Others inspect the form for fields and fill them. You could also implement Captcha and other heuristics on top of this. If you do, I would recommend using an established service for it rather than rolling your own, if you are allowed (e.g. Google Recaptcha) as they are very mature. – RichGoldMD Aug 21 '17 at 23:48