No rate limiting on the login form

wavreith · November 30, 2022, 1:22pm

Hello
This is not limit (no flooding protection on form) on login or contact form. You can brute force any forms on website.
Steps:

First of all intercept the request sent by the login form using a web proxy such as Burp suite.
Then using the same tool you can resend the same request with different passwords

How to ?
Design throttling mechanisms into the system architecture. The best protection is to limit the number of resources that an unauthorized user can cause to be expended.

Any idea ?

texnixe · November 30, 2022, 1:31pm

The default number of trials for the login form is 10 (by IP or email): auth | Kirby CMS

Kirby doesn’t come with a default contact form.

wavreith · November 30, 2022, 1:45pm

Thank you for the login forms information. Do you recommend any solution for the contact form ?
doc: Email contact form | Kirby CMS

texnixe · November 30, 2022, 3:14pm

The frontend code is up to yourself. In our example, we use a simple honeypot. But of course, you could add some other type of guard, like a math guard or Google captcha or whatever you see fit for your use case.

The popular Uniform plugin comes with some guards already implemented (see the docs).

There’s also a plugin for the Uniform plugin, that implements Turnstile protection: Turnstile for Uniform | Kirby CMS

Topic		Replies	Views
Minimise the level of spam emails via contact forms Solved ✅	3	266	March 25, 2023
Uniform contact plugin Kirby 3	4	616	July 14, 2019
Uniform: Incorrect Captcha value still allowing form submission Solved ✅ plugin , uniform	9	895	October 3, 2019
Recaptcha v3 best practices in Kirby	12	975	March 9, 2023
Access restriction with password only, instead of email & password? (not recommended) Solved ✅	15	203	October 4, 2023

No rate limiting on the login form

Related Topics