1333: Rate Limit API - 1 in user defined value

Allow api connection every api_attempt_delay milliseconds. Currently 50 mSec Uses the same process as ui/admin rate limiting. Changes to be committed: modified: config.yaml modified: core/main/rest/api.rb modified: core/main/router/router.rb
2017-11-24 17:00:58 +10:00
parent e86e05d20f
commit 0eb6010898
3 changed files with 36 additions and 1 deletions
--- a/config.yaml
+++ b/config.yaml
@@ -27,6 +27,8 @@ beef:
        # subnet of IP addresses that can connect to the admin UI
        #permitted_ui_subnet: "127.0.0.1/32"
        permitted_ui_subnet: "0.0.0.0/0"
+        # slow API calls to 1 every  api_attempt_delay  seconds
+        api_attempt_delay: "0.05"

    # HTTP server
    http:
--- a/core/main/rest/api.rb
+++ b/core/main/rest/api.rb
@@ -63,7 +63,7 @@ module BeEF
      # This is from extensions/admin_ui/controllers/authentication/authentication.rb
      #
      def self.permitted_source?(ip)
-        # get permitted subnet 
+        # get permitted subnet
        permitted_ui_subnet = BeEF::Core::Configuration.instance.get("beef.restrictions.permitted_ui_subnet")
        target_network = IPAddr.new(permitted_ui_subnet)

@@ -74,6 +74,31 @@ module BeEF
        return target_network.include?(ip)
      end

+      #
+      # Rate limit through timeout
+      # This is from extensions/admin_ui/controllers/authentication/
+      #
+      # Brute Force Mitigation
+      # Only one login request per config_delay_id seconds
+      #
+      # @param config_delay_id <string> configuration name for the timeout
+      # @param last_time_attempt <Time> last time this was attempted
+      # @param time_record_set_fn <lambda> callback, setting time on failure
+      #
+      # @return <boolean>
+      def self.timeout?(config_delay_id, last_time_attempt, time_record_set_fn)
+        time = Time.new
+        config = BeEF::Core::Configuration.instance
+        fail_delay = config.get(config_delay_id)
+
+        if (time - last_time_attempt < fail_delay.to_f)
+          time_record_set_fn.call(time)
+          return false
+        end
+
+        return true
+      end
+
    end
  end
 end
--- a/core/main/router/router.rb
+++ b/core/main/router/router.rb
@@ -17,6 +17,8 @@ module BeEF
          set :show_exceptions, false
        end

+        last_attempt_time = Time.new
+
        # @note Override default 404 HTTP response
        not_found do
          if config.get("beef.http.web_server_imitation.enable")
@@ -88,6 +90,12 @@ module BeEF
        end

        before do
+          # Rate limit calls to 1 in beef.restrictions.api_attempt_delay seconds
+          halt 401 if not BeEF::Core::Rest.timeout?('beef.restrictions.api_attempt_delay',
+                                                    last_attempt_time,
+                                                    lambda { |time| time = time})
+          last_attempt_time = Time.now                 # set the time of the last successful response
+
          # @note Override Server HTTP response header
          if config.get("beef.http.web_server_imitation.enable")
            type = config.get("beef.http.web_server_imitation.type")