Friday, April 24, 2009

Complicate Brute Force Attacks in ASP.NET

Have you ever used a test program to simulate a Brute Force attack on your login screen? It's pretty vicious and cool at the same time.

On my login screens I've developed for public access I perform the following to help block any Brute Force attempt.

1. Implement Captcha technology after 3rd failed login attempt.
2. Lock account after fifth failed login attempt (optional).
3. Implement a random delay using System.Threading.Thread.Sleep on each failed login attempt.

Of couse, all of this may not be 100% attack proof, but is sure complicates things.

Below is some pseudocode I used to implement step 3 above:

//Sample function to validate user
if (fncValidateUser(ref mCN, txtUserID.Text.Trim(), txtPassword.Text.Trim()))
   Response.Redirect(strReturnURL, true);
   //Delay Request

//Randomly delay request, I use anywhere between 2 and 20 seconds.
private void subDelayRequest()
   System.Int32 minSeconds, maxSeconds;
   minSeconds = 2;
   maxSeconds = 20;
   Random rand = new Random();
   System.Threading.Thread.Sleep(rand.Next(minSeconds, maxSeconds) * 1000);

Thursday, April 16, 2009

A Little Fun with Generic Filters

Some have asked about my generic filters, and to answer some of the questions:

  • I have finally finished it (back in February).

  • It is database driven - heard of meta data driven ui? :)

  • It is used for both filtering data and filtering report criteria.

A little history on my project..
I've worked on 2 similar projects in the past. The first was a database driven filter screen written in classic ASP and simply provided a stacked layout of different controls and a simple listing of results with hyperlinks to edit details. It was precise and functional, but not expandable to include reports or reuse elsewhere. The second, my previous job, was class driven and cumbersome to develop against, to say the least. It generated only list boxes and a full page of results - thus it had no paging or reording abilities, but had a nice flow layout.

Since I started a new job I decided to start on my own generic filter that borrowed the idea of a database driven backend and various control types, and a flow layout (using DIV tags instead of tables) and threw in a slew of other enhancements.

Here is a quick screen shot of my generic filter (uses test data):

Here is the results screen, notice it uses paging and sorting (took a while to figure that out since my gridview isn't bound).

Here is a screen shot of the Reporting filter, it allows saving and scheduling of reports and more.

Granted there are a myriad of other options that a few simple screen shots can't show, but I'll try to post more info in the future. Best of all it's a simple component that will fit into any web page provided you have a database backend. :)