Piotr_Bratkowsk
Aug 09, 2013Nimbostratus
ASM & Hydra verification request
Hi,
We have PoC at one of ours client and I was preparing labs with PHPAuction, ASM and Hyrda. Lab was aimed to show that automated (with Hydra) brute force attack on login page (user_login.php) can be stoped with ASM.
But it turned out it is not working. When I manually try to brute force (with log setting so it's feasiable) it's working like a charm. But as I see in my log Hydra is using new session identifier with every request, so
Session-based Brute Force Protection is not catching it. I was able to performe 3500 guesses in 10 seconds.
Isn't that subject for feature request, to allow building bruteforce protection based on source IP?
Could someone verified if it's not configuration fault?
Regards,
Piotr Bratkowski