4

I'm using the OWasp Security Cheat Sheet to check/ tighten up security on a .net core website I've created.

Section A2 has a part on protecting against brute force login attempts.

It states a solution is to add the following attribute on the Logon Action (but it's for MVC5)

[AllowXRequestsEveryXSecondsAttribute(
  Name = "LogOn",
  Message = "You have performed this action more than {x} times in the last {n} seconds.",
  Requests = 3,
  Seconds = 60)]

The .net core scaffolding creates the login part as a page rather than an MVC Controller, and I can't seem to access that attribute (or work out a similar one).

Obviously, I could use posts such as this and this to roll my own solution, but I'd rather use the standard tools where available.

I'd rather not use the lockout feature if I can help it, as this will increase support.

Does .NET Core have something inbuilt that I can use?

Hakan Fıstık
  • 16,800
  • 14
  • 110
  • 131
JsAndDotNet
  • 16,260
  • 18
  • 100
  • 123
  • I'm going to leave this here in case an answer arises, but so far it seems you have to follow the other stack overflow posts and roll your own. – JsAndDotNet Nov 12 '18 at 09:37

1 Answers1

4

Came back to this a few months later with fresh eyes and found a post from Microsoft that includes Account lockout for protecting against brute force attacks, which will be a layer of security, though not a comprehensive protection as the old MVC5 AllowXRequestsEveryXSecondsAttribute enabled.

It will stop multiple attempts against one email, but it wont stop multiple attempts against many emails.

i.e. It will prevent someone doing

  • username: user1@test.com, password: Password121
  • username: user1@test.com, password: Password122
  • username: user1@test.com, password: Password123

But it won't prevent someone doing:

  • username: user1@test.com, password: Password123
  • username: user2@test.com, password: Password123
  • username: user3@test.com, password: Password123

Here's the code excerpt from Microsoft (they key bit being the options.Lockout part):

public void ConfigureServices(IServiceCollection services)
{
    // Add framework services.
    services.AddDbContext<ApplicationDbContext>(options =>
        options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));

    services.AddIdentity<ApplicationUser, IdentityRole>()
        .AddEntityFrameworkStores<ApplicationDbContext>()
        .AddDefaultTokenProviders();

    services.AddMvc();

    services.Configure<IdentityOptions>(options =>
    {
        options.Lockout.MaxFailedAccessAttempts = 10;
        options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(10);
    });

    // Add application services.
    services.AddTransient<IEmailSender, AuthMessageSender>();
    services.AddTransient<ISmsSender, AuthMessageSender>();
    services.Configure<SMSoptions>(Configuration);
}

Update (following discussions with the Core Team)

I raised this with the .NET Core team on Github.

The AllowXRequestsEveryXSecondsAttribute attribute mentioned in the OWasp checksheet is from an external libray, which they believe could be converted to .NET Core, but they don't see it as a priority to include something as part of the framework. Their recommendation was to look into the Azure solutions 'AAD or B2C' or 'Auth0'.

JsAndDotNet
  • 16,260
  • 18
  • 100
  • 123