cibersecurity audit issue about login

[António Ramos]

Hello friends, i guess this is a similar issue between web2py and py4web so im posting to both groups. Sorry if im abusing ...

We had a cibersecurity audit in our web2py app and they found this issue

QUOTE

During
the application audit process, it was possible to identify that the the company portal does not implement the restriction of
blocking accounts due to invalid login attempts This allows an attacker to use brute force attacks to attempt a valid credential indefinitely

Recommendation
We
recommend implementing account lockout policies for invalid login attempts, as well as captcha and multi factor
authentication ( mechanisms, as well as session timeouts to log out a user who has been inactive on the system for
some time

UNQUOTE

I already activated the mfa in my app but it only works if the password is correct.

An attacker trying to guess the password could have a forever loop trying to login and it can stress the sever CPU.

Any comments on this ?

Regards

António

[Christian Varas]

Hello António.

Bruteforce in login is a common weakness that can be easy to solve.

The most effective solution is implementing a CAPTCHA, in web2py I use google recaptcha because the implementation is easy and stops all the automations. 

In py4web I'm still unable to implement it in the login form and there is no to much information about how to make it.

In web2py I'm quite sure that it is not possible to submit the same form twice because it has a csrf token or similar so the bruteforce is not that simple like repeating the login post. If a script resends the same post will be not processed due the token is reused.

In py4web forms have csrftoken but I'm not sure if they work the same like in web2py. Months ago it was possible to resend twice the same post data and accepted. I haven't tested in those days, but I will, because it is something that makes noise.

In my experience an account lockout policy is effective but very annoying to the users. 

I would not say that brute force in login forms is a big task and consumes too much CPU. These functions usually are small and make small queries to the database. Most of the time a public endpoint like index or a landing page can consume more CPU than the login task.

Greetings.

Chris.

--
You received this message because you are subscribed to the Google Groups "py4web" group.
To unsubscribe from this group and stop receiving emails from it, send an email to py4web+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/py4web/CAEM0BxN7fY6Ymy8Fihb7UKWarT%2B9CsuQnH%3D9tYo1JFSFVH%2BgdA%40mail.gmail.com.

[Dave S]

The appadmin login supports lockout, but I'm not finding a mention of it in the manual.  A file is created (in the web2py root, IIRC, alongside httpserver.pid and parameters_8000.py).  This file can be removed by the appropriate local user.  If memory serves, you get 3 tries in xx seconds.

/dps