69 lines
2.3 KiB
Org Mode
69 lines
2.3 KiB
Org Mode
|
:PROPERTIES:
|
||
|
:ID: b1c6f5ac-0f96-4597-98fe-0f60329a80e6
|
||
|
:END:
|
||
|
#+title: 2020-07-17
|
||
|
#+setupfile: ../worklog.setup
|
||
|
|
||
|
* Tracking login attempts without CSRF tokens
|
||
|
|
||
|
#+name: login-attempts-without-csrf
|
||
|
#+begin_src bash :dir ~/Downloads :exports none
|
||
|
grep -h 'CSRF challenge:.*sent: "", session: ""' account_controller* \
|
||
|
| sed -e 's/.*\(2020-07-[[:digit:]]* [[:digit:]]*\).*ip: "\([[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\).*/\1 \2/' \
|
||
|
| sort | uniq | awk '{print $1, $2}' \
|
||
|
| uniq -c | awk '{print $2, $3 "," $1}'
|
||
|
#+end_src
|
||
|
|
||
|
#+RESULTS[fa1c8ae01ac81c4b0c465f01e3cd2815081e1ede]: login-attempts-without-csrf
|
||
|
| 2020-07-16 17 | 6 |
|
||
|
| 2020-07-16 18 | 38 |
|
||
|
| 2020-07-16 19 | 48 |
|
||
|
| 2020-07-16 20 | 31 |
|
||
|
| 2020-07-16 21 | 27 |
|
||
|
| 2020-07-16 22 | 31 |
|
||
|
| 2020-07-16 23 | 24 |
|
||
|
| 2020-07-17 00 | 26 |
|
||
|
| 2020-07-17 01 | 20 |
|
||
|
| 2020-07-17 02 | 26 |
|
||
|
| 2020-07-17 03 | 27 |
|
||
|
| 2020-07-17 04 | 21 |
|
||
|
| 2020-07-17 05 | 26 |
|
||
|
| 2020-07-17 06 | 34 |
|
||
|
| 2020-07-17 07 | 34 |
|
||
|
| 2020-07-17 08 | 34 |
|
||
|
| 2020-07-17 09 | 36 |
|
||
|
| 2020-07-17 10 | 49 |
|
||
|
| 2020-07-17 11 | 34 |
|
||
|
| 2020-07-17 12 | 53 |
|
||
|
| 2020-07-17 13 | 36 |
|
||
|
|
||
|
#+HEADER: :var data=login-attempts-without-csrf
|
||
|
#+BEGIN_SRC python :var filename="2020-07-17-login-attempts-without-csrf.png" :exports results :results file
|
||
|
import matplotlib.pyplot as plt
|
||
|
|
||
|
|
||
|
x = [a[0] for a in data]
|
||
|
y = [a[1] for a in data]
|
||
|
a, = plt.plot(x, y, marker='o')
|
||
|
plt.title('Login attempts without CSRF tokens by IP')
|
||
|
plt.ylabel('Attempts per IP')
|
||
|
plt.xlabel('Hour')
|
||
|
plt.grid(True)
|
||
|
plt.xticks(rotation=70)
|
||
|
plt.savefig(filename, transparent=True)
|
||
|
return filename
|
||
|
#+END_SRC
|
||
|
|
||
|
#+RESULTS[66dd9d9ba4cfd43c058d2aac4b5a3cbd8772b099]:
|
||
|
[[file:2020-07-17-login-attempts-without-csrf.png]]
|
||
|
|
||
|
Login attempts without CSRF tokens appear to be fairly stable, without much
|
||
|
drop-off. Once we're comfortable with the frequency with which this occurs, we
|
||
|
can apply [[https://gitlab.aweber.io/CP/applications/sites/-/merge_requests/5283/diffs][this change]] to the [[id:d17e934b-b340-4246-88f0-9b36527100c0][Login Throttling]] code to mark login attempts
|
||
|
without a token as invalid, rather than presenting the end-user with a CAPTCHA
|
||
|
as we're doing now.
|
||
|
|
||
|
* Add captcha to login attempts without customer cookie
|
||
|
* Sift Account Takeover product
|
||
|
https://docs.google.com/document/d/15PhnBOLPIlRnRal-hz2dliA4Pmzf_bkFy253femOzqE/edit
|