Defense Against database hit attacks

Defense Against database hit attacks
Hazards of credential stuffing

According to the current test experience, credential stuffing is still a very common vulnerability type for Internet enterprises in China.

Basic defense strategies

In fact, there are still many solutions, but many of them can be bypassed in design. In general, the verification code policy is blocked more than a certain number of times. And IP detection policies are more common and effective. The WAF layer also has a limit on the request frequency.

Defense Policy Bypass

If you bypass it, you need to bypass it according to the specific solution. For example, if you are looking for interfaces that do not provide protection, many login interfaces of mobile phone versions are not protected. Therefore, it is very important to unify the login interface of the anti-collision library. After unification, all old interfaces must be disabled. Avoid problems found. Verification Code bypass and IP address detection bypass are common methods. In addition, there are some defense solutions with design errors, such as using token, you only need to request a token to continue to hit the database, use the value in the cookie, if set to null, you can bypass and so on. Test according to specific scenarios.

Test

Analyze the logon Policy of the mobile phone taobao for a single user. If the wrong password is entered five times, the verification code is displayed. After multiple exceptions, you can enter a verification code for the First Login by another user. Taobao communication is encrypted.

After 10 logon attempts, the system prompts that the logon frequency is too fast, blocking the logon of the current user. You can log on with another account 10. It may seem that there is a problem. However, if no packets are captured during logon, TCP transmission may be used directly.