All geek questions in one place

Prevent remote script using PHP CURL on site login

What are some methods that can be used to secure login page login using remote PHP script using CURL? The referrer and user agent check will not work, as they can be set using CURL. An ideal solution would be to solve this without using CAPTCHA, that is, in this matter try to figure out if this is possible.

+4
source share
4 answers

One approach is to include JavaScript in your registration form and make sure that the form cannot be successfully submitted unless that JavaScript is running. This makes your registration form only suitable for people with JavaScript enabled, which CURL does not have. If the required JavaScript is a kind of challenge / response that is different every time (for example, use something like http://www.ohdave.com/rsa/ to make it non-trivial), having a correctly set value in the form is good proof that JavaScript worked.

You won’t be able to stop all automatic scripts, but just write scripts that control the actual browser engine and they will pass this test.

+6
source

There is no way to prevent this from happening. If the script knows the username and password, they will be able to log in.

You can use captcha so that automatic logins cannot read it, but it will also be a burden for real users.

If you are concerned that it is used for verification and authorization, you may need more information after several attempts.

  • Disconnect your account and request re-activation by email.
  • Request interception after several failed attempts
+4
source

if I get you right:

  • you have a login page that executes a login script
  • login script hacked by remote cURL script ...

The solution on the login page is a hidden element with a unique secret code that can happen only once, save this secret code in the session, when registering the script, look in the session for this code, compare with what was published in the script, clear the session. ..

more on the topic: http://en.wikipedia.org/wiki/Cross-site_request_forgery

+1
source

cURL is no different from any other client (such as a browser). You can use nonce session-bound in a hidden input field to prevent POST requests directly, but there are still ways around this. It is also a good idea to limit the number of logon attempts per minute to make brute force attacks more difficult if it bothers you.

0
source

Source: https://habr.com/ru/post/1339439/

More articles:


All Articles