1

i'm using JSF 2.1 + PrimeFaces 2.2 and Glassfish 3.1.2 in combination with form based authentication to secure the Web-Application against unauthorized usage.

In the last time I'm seeing a lot of tries to login against the form. Most of them are invalid Email password combinations, or non existing Emails in our database. But some are successfull.

I think that the attacker has a Mail + password list which he tries. In my LoginBean I use timer controlled accessing, by counting how many failed logins fails and denying the access for this browser session. This generally works, but not for automated scripts. So I decided to include a Captcha provided by PrimeFaces within the LoginForm. But last night I thought about, how to bypass the Captcha. That was really simple.

Go to the browser console. Type

jQuery('#recaptcha_widget_div').parent().remove()

Thats the name of Captcha component and the div for the captcha disappears. And now its again possible to drive brute force attacks against the form.

So I need another way to secure the login form against brute force. Any suggestions for best practice and examples??

Thanks

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
AdemC
  • 406
  • 6
  • 16
  • Did you set it `required="true"`? Is the view stateful (as default, thus not stateless)? – BalusC Jan 25 '15 at 23:01
  • Checked the code again. The Bean is stateful, but there is no reference to the backing bean. Only the rendered attribute is used to decide show captcha or not. Only show if user is not still logged in. And also I've set required attribute to true. Could it be because I am using PF in version 2.2.1. The problem is that I cannot switch PrimeFaces version due to changed namespaces and structural changes in used component attributes. A change requires an overall refactoring of almost ever jsf page. Thanks – AdemC Jan 26 '15 at 21:55
  • [I don't believe there's a foolproof way to defend a web application against brute force attacks, from within the web app itself](http://stackoverflow.com/a/28011149/1530938), but, you should look into building the ReCaptcha component from within your backing bean (programmatically). That way, the component should be part of the viewstate and any client-side manipulation of the markup would invalidate the whole thing – kolossus Jan 27 '15 at 01:33
  • Eclipse has regex based find-and-replace-in-all-files. – BalusC Jan 27 '15 at 08:03

0 Answers0