Rails 4重复HTTP POST请求垃圾邮件
[英]Rails 4 Repeating HTTP POST Request Spamming
问题描述
I have been working on a ruby on rails 4 application. 
我一直在研究Rails 4应用程序中的ruby。 For the most part the site is done, however I found a "security flaw" which allows me to capture the HTTP POST request via an intercepting proxy tool (Burp Suite). 大多数情况下,站点已完成,但是我发现了一个“安全漏洞”,该漏洞使我可以通过拦截代理工具(Burp Suite)捕获HTTP POST请求。 I can then send this POST request to a repeater, and re-submit the request over and over again. 然后,我可以将此POST请求发送到转发器,然后一遍又一遍地重新提交该请求。 This effectively can be used to abuse my application and spam people. 这可以有效地滥用我的应用程序和垃圾邮件人。 Before I go to launch this product, I need to fix this issue. 在发布此产品之前,我需要解决此问题。 This is where I need help. 这是我需要帮助的地方。 I would really like to avoid the usage of CAPTCHA, and I would like to keep the user-flow of the application as seamless as possible. 我真的很想避免使用CAPTCHA,并且希望保持应用程序的用户流尽可能无缝。 So what are some good ways to prevent HTTP POST request spamming?? 那么,有什么好的方法可以防止HTTP POST请求发送垃圾邮件?
Thank you 谢谢
1 个解决方案
解决方案1
0 已采纳 2014-09-14 08:37:03
The rack-attack gem allow you to block or throttle requests based on pretty much anything in the rack environment. 机架式攻击宝石可让您基于机架环境中的几乎所有内容来阻止或限制请求。
A classic example is to throttle the number of login attempts for a username, which you could do with 一个经典的例子是限制用户名的登录尝试次数,您可以使用
Rack::Attack.throttle('logins/email', :limit => 6, :period => 60.seconds) do |req|
req.params['email']} if req.path == '/login' && req.post?
end
You can define as many of these throttles as you like (within reason obviously) 您可以根据需要定义任意数量的油门(显然是有原因的)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.