SyliusGiftCardPlugin icon indicating copy to clipboard operation
SyliusGiftCardPlugin copied to clipboard

Published 20 hours ago verified publisher icon Setono

[RFC] Security questions

Open igormukhingmailcom opened this issue 6 years ago • 1 comments

I wasn't right at https://github.com/Setono/SyliusGiftCardPlugin/issues/25 that csrf protects from brute force attack, so to protect from it, we probably should add some actual protection. Like https://www.google.com/recaptcha/intro/v3.html

From other side, even with captcha protection here, attacker can brute force cart (by checking response for terms that means gift card applied) and we can't add something like captcha to cart.

So, I guess, the only way is:

  • Add some min code length rule at configuration and not allow to generate codes with length < 16 chars for example (at the same time, admin created codes allowed to be not long - so admins can create gift cards with codes like "GIFT4BESTCLIENT")

igormukhingmailcom avatar Dec 06 '19 20:12 igormukhingmailcom

A super protection could also be like : If a user tries x codes (let's say 30) without having a single one working, disable the possibility to add a new one for a defined time. Let's say 1 minute, that is already something huge to protect brute forcing.

Or a slightly easier way would be to put a small usleep(500000); in execution. This way is often recommended for protecting login brute force.

Roshyo avatar Aug 07 '20 07:08 Roshyo