Added auth access time checking

Time set on failure, Next request fails if inside configured time: beef.restrictions.api_attempt_delay modified: core/main/rest/handlers/admin.rb
2017-12-11 17:48:40 +10:00
parent f42346fc1a
commit 3b470439fa
1 changed files with 14 additions and 1 deletions
--- a/core/main/rest/handlers/admin.rb
+++ b/core/main/rest/handlers/admin.rb
@@ -10,10 +10,20 @@ module BeEF
      class Admin < BeEF::Core::Router::Router

        config = BeEF::Core::Configuration.instance
+        time_since_last_failed_auth = 0
+

        before do
          # error 401 unless params[:token] == config.get('beef.api_token')
          halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
+
+          # halt if requests are inside  beef.restrictions.api_attempt_delay
+          if time_since_last_failed_auth != 0
+            halt 401 if not BeEF::Core::Rest.timeout?('beef.restrictions.api_attempt_delay',
+                                                      time_since_last_failed_auth,
+                                                      lambda { |time| time_since_last_failed_auth = time})
+          end
+
          headers 'Content-Type' => 'application/json; charset=UTF-8',
                  'Pragma' => 'no-cache',
                  'Cache-Control' => 'no-cache',
@@ -46,6 +56,9 @@ module BeEF
            # check username and password
            if not (data['username'].eql? config.get('beef.credentials.user') and data['password'].eql? config.get('beef.credentials.passwd') )
              BeEF::Core::Logger.instance.register('Authentication', "User with ip #{request.ip} has failed to authenticate in the application.")
+
+              # failed attempts
+              time_since_last_failed_auth = Time.now()
              halt 401
            else
              { "success" => true,
@@ -62,4 +75,4 @@ module BeEF
      end
    end
  end
-end
+end