Need

Implementation of a robust and secure mechanism to prevent brute force attacks on promotional codes.

Context

• Usage of Ruby 2.7.0 as the programming language for development
• Usage of Ruby on Rails for web application development

Description

Non compliant code

        class PromoCodesController < ApplicationController
  def validate_code
    code = params[:code]
    promo_code = PromoCode.find_by(code: code)

    if promo_code
      render json: { valid: true, discount: promo_code.discount }
    else
      render json: { valid: false }
    end
  end
end
        
        

In the above code, there is a validate_code method in the PromoCodesController which is used to validate if the provided promotional code is valid or not. The method takes a code parameter from the request, and then it tries to find a promotional code in the database that matches the provided code.

If a matching promotional code is found, the method responds with a JSON object indicating that the code is valid and also includes the discount associated with the code. If no matching code is found, the method responds with a JSON object indicating that the code is invalid.

The vulnerability here is that there are no protections in place against brute force attacks. An attacker could potentially automate requests to this endpoint with different codes until they find a valid one. There are no rate limiting or captcha mechanisms in place to prevent or slow down such automated attacks.

Steps

• Implement rate limiting to prevent multiple login attempts within a short period of time.
• Implement account lockout after a certain number of failed login attempts.
• Use strong and unique passwords for user accounts.
• Implement two-factor authentication to add an extra layer of security.
• Implement CAPTCHA or reCAPTCHA to prevent automated attacks.
• Implement a delay or exponential backoff mechanism to slow down brute force attacks.
• Monitor and log failed login attempts to detect and respond to potential attacks.
• Regularly update and patch the application and its dependencies to fix any security vulnerabilities.
• Educate users about the importance of using strong passwords and avoiding password reuse.

Compliant code

        class PromoCodesController < ApplicationController
  before_action :check_rate_limit, only: [:validate_code]

  def validate_code
    code = params[:code]
    promo_code = PromoCode.find_by(code: code)

    if promo_code
      render json: { valid: true, discount: promo_code.discount }
    else
      render json: { valid: false }
    end
  end

  private

  def check_rate_limit
    client_ip = request.remote_ip
    limit = 5
    period = 60

    count = Rails.cache.fetch("promo_code/#{client_ip}", expires_in: period.seconds) do
      0
    end

    if count >= limit
      render json: { error: 'Too many requests' }, status: :too_many_requests
    else
      Rails.cache.write("promo_code/#{client_ip}", count + 1, expires_in: period.seconds)
    end
  end
end
        
        

The updated code now includes a before_action filter that checks the rate limit before the validate_code action is executed. This filter is defined in the check_rate_limit private method.

In the check_rate_limit method, we first get the client's IP address. We then define a limit for the number of requests (5 requests) and a period for the limit (60 seconds).

We use Rails' caching mechanism to store the number of requests from each IP address. If the cache for the IP address does not exist, we initialize it with 0.

If the number of requests from the IP address has reached the limit, we return a 'Too many requests' error with a 429 status code (Too Many Requests). If the limit has not been reached, we increment the count in the cache.

This way, we limit the number of requests to the validate_code action from each IP address to 5 requests per minute, effectively preventing brute force attacks.

References

• 330. Lack of protection against brute force attacks - Credentials