4

I have a spring web app hosted on amazon and I am facing login attacks from some automated machines. From my logs, it is clear that they are bypassing login page, and are using something like :

curl --data "j_username=xxx&j_password=yyy" http://www.mysecureurl.com/j_spring_security_check

My question is how to prevent such attacks. Is there a way I can block such logins which are not coming directly from login page via some spring configuration ?

I will then implement further security measures like captcha, lockout-after-3-wrong-attempts etc when user tries from login page.

Supra
  • 1,612
  • 1
  • 18
  • 36
  • 1
    you can implement an Spring AOP that check your request... Example : http://www.mkyong.com/spring/spring-aop-examples-advice/ – Rudy May 30 '13 at 06:47
  • But how do I access anything from httprequest/session in this beforeadvice interceptors ? I dont have a clue. – Supra May 30 '13 at 07:05
  • 1
    follow espen answer ( sample is based on implementing advice in spring controller ) in http://stackoverflow.com/questions/3310115/spring-aop-advice-on-annotated-controllers. Note that the request have to be added as a controller signature. – Rudy May 30 '13 at 07:32
  • if your controller already has Request as parameter, in the beforeAdvice, it will be inside parameter Object[] args ( check for type HttpServletRequest ) – Rudy May 30 '13 at 07:40

4 Answers4

3

You can implement the a Cross-site Request Forgery (CSRF)- Nonce-Token Pattern.

In other words,

  • generate a random token (for every user an different).
  • put this token in the user session
  • an add it as a hidden field in the user login form
  • if you receive a login request than the check if the submitted token matches the token form the session - if not then send them a access denid

BTW:

Ralph
  • 118,862
  • 56
  • 287
  • 383
0

If all requests coming from the same IP address you can use hasIpAddress expression:

<security:intercept-url pattern="/secure"  access="isAuthenticated() and !hasIpAddress('11.11.111.11')" />

It is more temporary hack, because attackers can change their IP.

Maksym Demidas
  • 7,707
  • 1
  • 29
  • 36
0

Here is how I solved my problem, thanks to all the answers above.

1.Added a custom filter to my spring security : <custom-filter position="FORM_LOGIN_FILTER" ref="loginFilter" />

2.In the login controller, generated a random string and put that in http session 

String random = UUID.randomUUID().toString().toLowerCase().replaceAll("-", "");
request.getSession().setAttribute("userKeyInSession", random);

3.Also passed this random key to login page so that the login jsp can submit this as hidden parameter along with form submit.

model.addAttribute("userKey", random);
return "login";

4.In the LoginFilter, I now do a simple string comparison between the request parameter and the random value in the session. If they do not match, I reject and do not proceed with authentication.

More to do: Captcha etc for preventing attacks from UI now..

Supra
  • 1,612
  • 1
  • 18
  • 36
-1

Looks like you are using the default request login parameters provided by Spring-Security. The default name attribute and password attribute value is j_username and j_password. So if you change your login page's username and password parameters name attribute to something specific to you app , then you will be able to avoid such attacks , because in that case only you will be knowing the actual values attribute name and password and no one else and thus no one will be able be able to send http hack request to you app.

Sagar Shroff
  • 105
  • 1
  • 5
  • How difficult it is to know the param names even if I change them anyways .. Thanks, but it wont help. – Supra Sep 25 '13 at 08:48