roam/daily/2020-07-17.org

69 lines
2.3 KiB
Org Mode
Raw Normal View History

2021-09-01 20:57:39 +00:00
:PROPERTIES:
:ID: b1c6f5ac-0f96-4597-98fe-0f60329a80e6
:END:
#+title: 2020-07-17
#+setupfile: ../worklog.setup
* Tracking login attempts without CSRF tokens
#+name: login-attempts-without-csrf
#+begin_src bash :dir ~/Downloads :exports none
grep -h 'CSRF challenge:.*sent: "", session: ""' account_controller* \
| sed -e 's/.*\(2020-07-[[:digit:]]* [[:digit:]]*\).*ip: "\([[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\).*/\1 \2/' \
| sort | uniq | awk '{print $1, $2}' \
| uniq -c | awk '{print $2, $3 "," $1}'
#+end_src
#+RESULTS[fa1c8ae01ac81c4b0c465f01e3cd2815081e1ede]: login-attempts-without-csrf
| 2020-07-16 17 | 6 |
| 2020-07-16 18 | 38 |
| 2020-07-16 19 | 48 |
| 2020-07-16 20 | 31 |
| 2020-07-16 21 | 27 |
| 2020-07-16 22 | 31 |
| 2020-07-16 23 | 24 |
| 2020-07-17 00 | 26 |
| 2020-07-17 01 | 20 |
| 2020-07-17 02 | 26 |
| 2020-07-17 03 | 27 |
| 2020-07-17 04 | 21 |
| 2020-07-17 05 | 26 |
| 2020-07-17 06 | 34 |
| 2020-07-17 07 | 34 |
| 2020-07-17 08 | 34 |
| 2020-07-17 09 | 36 |
| 2020-07-17 10 | 49 |
| 2020-07-17 11 | 34 |
| 2020-07-17 12 | 53 |
| 2020-07-17 13 | 36 |
#+HEADER: :var data=login-attempts-without-csrf
#+BEGIN_SRC python :var filename="2020-07-17-login-attempts-without-csrf.png" :exports results :results file
import matplotlib.pyplot as plt
x = [a[0] for a in data]
y = [a[1] for a in data]
a, = plt.plot(x, y, marker='o')
plt.title('Login attempts without CSRF tokens by IP')
plt.ylabel('Attempts per IP')
plt.xlabel('Hour')
plt.grid(True)
plt.xticks(rotation=70)
plt.savefig(filename, transparent=True)
return filename
#+END_SRC
#+RESULTS[66dd9d9ba4cfd43c058d2aac4b5a3cbd8772b099]:
[[file:2020-07-17-login-attempts-without-csrf.png]]
Login attempts without CSRF tokens appear to be fairly stable, without much
drop-off. Once we're comfortable with the frequency with which this occurs, we
can apply [[https://gitlab.aweber.io/CP/applications/sites/-/merge_requests/5283/diffs][this change]] to the [[id:d17e934b-b340-4246-88f0-9b36527100c0][Login Throttling]] code to mark login attempts
without a token as invalid, rather than presenting the end-user with a CAPTCHA
as we're doing now.
* Add captcha to login attempts without customer cookie
* Sift Account Takeover product
https://docs.google.com/document/d/15PhnBOLPIlRnRal-hz2dliA4Pmzf_bkFy253femOzqE/edit