:PROPERTIES:
:ID:       b1c6f5ac-0f96-4597-98fe-0f60329a80e6
:END:
#+title: 2020-07-17
#+setupfile: ../worklog.setup

* Tracking login attempts without CSRF tokens

#+name: login-attempts-without-csrf
#+begin_src bash :dir ~/Downloads :exports none
  grep -h 'CSRF challenge:.*sent: "", session: ""' account_controller* \
      | sed -e 's/.*\(2020-07-[[:digit:]]* [[:digit:]]*\).*ip: "\([[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\).*/\1 \2/' \
      | sort | uniq | awk '{print $1, $2}' \
      | uniq -c | awk '{print $2, $3 "," $1}'
#+end_src

#+RESULTS[fa1c8ae01ac81c4b0c465f01e3cd2815081e1ede]: login-attempts-without-csrf
| 2020-07-16 17 |  6 |
| 2020-07-16 18 | 38 |
| 2020-07-16 19 | 48 |
| 2020-07-16 20 | 31 |
| 2020-07-16 21 | 27 |
| 2020-07-16 22 | 31 |
| 2020-07-16 23 | 24 |
| 2020-07-17 00 | 26 |
| 2020-07-17 01 | 20 |
| 2020-07-17 02 | 26 |
| 2020-07-17 03 | 27 |
| 2020-07-17 04 | 21 |
| 2020-07-17 05 | 26 |
| 2020-07-17 06 | 34 |
| 2020-07-17 07 | 34 |
| 2020-07-17 08 | 34 |
| 2020-07-17 09 | 36 |
| 2020-07-17 10 | 49 |
| 2020-07-17 11 | 34 |
| 2020-07-17 12 | 53 |
| 2020-07-17 13 | 36 |

#+HEADER: :var data=login-attempts-without-csrf
#+BEGIN_SRC python :var filename="2020-07-17-login-attempts-without-csrf.png" :exports results :results file
  import matplotlib.pyplot as plt


  x = [a[0] for a in data]
  y = [a[1] for a in data]
  a, = plt.plot(x, y, marker='o')
  plt.title('Login attempts without CSRF tokens by IP')
  plt.ylabel('Attempts per IP')
  plt.xlabel('Hour')
  plt.grid(True)
  plt.xticks(rotation=70)
  plt.savefig(filename, transparent=True)
  return filename
#+END_SRC

#+RESULTS[66dd9d9ba4cfd43c058d2aac4b5a3cbd8772b099]:
[[file:2020-07-17-login-attempts-without-csrf.png]]

Login attempts without CSRF tokens appear to be fairly stable, without much
drop-off. Once we're comfortable with the frequency with which this occurs, we
can apply [[https://gitlab.aweber.io/CP/applications/sites/-/merge_requests/5283/diffs][this change]] to the [[id:d17e934b-b340-4246-88f0-9b36527100c0][Login Throttling]] code to mark login attempts
without a token as invalid, rather than presenting the end-user with a CAPTCHA
as we're doing now.

* Add captcha to login attempts without customer cookie
* Sift Account Takeover product
https://docs.google.com/document/d/15PhnBOLPIlRnRal-hz2dliA4Pmzf_bkFy253femOzqE/edit