All geek questions in one place

Prevent spam from directly posting to Magento

I had problems with POST spam requests on the Magento website, where the bot makes spam users (this is even with deleting the action attribute, captcha, etc.), because these bots, which I suppose, are simply directly asking POST for standard Magento account URL.

Here are 3 examples of valid POST requests that I saw in the log:

x.x.x.x - - [06/Nov/2017:13:54:47 -0500] "POST /customer/account/createpost/ HTTP/1.1" 302 - "https://www.example.com/customer/account/create/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36"

x.x.x.x - - [05/Nov/2017:11:34:42 -0500] "POST /customer/account/createpost/ HTTP/1.1" 302 - "https://www.example.com/customer/account/create/" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"

x.x.x.x - - [05/Nov/2017:19:33:15 -0500] "POST /customer/account/createpost/ HTTP/1.1" 302 - "https://www.example.com/customer/account/create/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"

I anonymized the IP addresses at the beginning as well as the URL. However, note that the 2nd URL is equal /customer/account/create/, whereas the first URL is/customer/account/createpost/

Here are 3 examples of POST requests for spam:

112.96.164.18 - - [05/Nov/2017:11:43:43 -0500] "POST /customer/account/createpost/ HTTP/1.1" 302 - "https://www.example.com/customer/account/createpost/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"

112.96.164.18 - - [05/Nov/2017:12:03:17 -0500] "POST /customer/account/createpost/ HTTP/1.1" 302 - "https://www.example.com/customer/account/createpost/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"

112.96.100.2 - - [05/Nov/2017:13:53:45 -0500] "POST /customer/account/createpost/ HTTP/1.1" 302 - "https://www.example.com/customer/account/createpost/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"

As far as I can tell by each spam request, the first and second URLs /customer/account/createpost/

What is the second url in this compared to the first? This is the one where the request was sent, and the other, where did it come from?

/customer/account/createpost/, , , , , , /customer/account/create/

: POST?

+4
4

, Magento.

Googles recaptcha , , , .

, , , referrer URL-, , .

, /client/account/createpost/, . 2 , GET ( , , ), POST. javascript , , recaptcha .

, , , recaptcha, ...

Magentos.

→ → → CAPTCHA

"" "" " ", "".. , , POST /customer/account/createpost/, captcha. , . , , , .

, " ", , . , .

, Google Invisible reCaptcha, Magento , POST.

+4

, php echo. .htaccess

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^/customer/account/createpost/$
RewriteCond %{HTTP_REFERER} !^http://dev\.tarunlalwani\.com:8088/customer/account/create/$
RewriteRule ^.* - [F,L]

Referer

$ curl -X POST -H "Referer: http://dev.tarunlalwani.com:8088/customer/account/creates/" dev.tarunlalwani.com:8088/customer/account/createpost/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /customer/account/createpost/
on this server.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at dev.tarunlalwani.com Port 8088</address>
</body></html>


$ curl -X POST -H "Referer: http://dev.tarunlalwani.com:8088/customer/account/create/" dev.tarunlalwani.com:8088/customer/account/createpost/
Tarun here

, http://dev.tarunlalwani.com:8088/customer/account/create/, POST . , . . http https

+3

https://perishablepress.com/protect-post-requests/, . , Magento, . , mod_rewrite .

, mod_security ( ), owasp-crs https://github.com/SpiderLabs/owasp-modsecurity-crs. , , , .

+1

: , URL- - URL- , , URL- . ; - , HTTP, User-Agent ..

, / IP-, . , user-agent:

# in .htaccess
RewriteCond %{USER_AGENT} ^Mozilla/5.0.+WOW64.+Gecko/20100101$ 
RewriteRule  ^.*  -  [G,L]

, , .

Or, selectively blocking this spammer from this particular script, if they do not get to the right place, relying on this referrer field (which the client provides) is a different route and a different solution. My preference is to throw clowns out altogether, if possible, unless there are good reasons to allow them to go to your site at all.

0
source

Source: https://habr.com/ru/post/1688832/

More articles:


All Articles