1333: Rate Limit API - 1 in user defined value

Allow api connection every api_attempt_delay milliseconds. Currently 50 mSec Uses the same process as ui/admin rate limiting. Changes to be committed: modified: config.yaml modified: core/main/rest/api.rb modified: core/main/router/router.rb
2017-11-24 17:00:58 +10:00
parent f5ce6170f7
commit 7ac24ef754
3 changed files with 36 additions and 1 deletions
--- a/core/main/rest/api.rb
+++ b/core/main/rest/api.rb
@@ -63,7 +63,7 @@ module BeEF
      # This is from extensions/admin_ui/controllers/authentication/authentication.rb
      #
      def self.permitted_source?(ip)
-        # get permitted subnet 
+        # get permitted subnet
        permitted_ui_subnet = BeEF::Core::Configuration.instance.get("beef.restrictions.permitted_ui_subnet")
        target_network = IPAddr.new(permitted_ui_subnet)

@@ -74,6 +74,31 @@ module BeEF
        return target_network.include?(ip)
      end

+      #
+      # Rate limit through timeout
+      # This is from extensions/admin_ui/controllers/authentication/
+      #
+      # Brute Force Mitigation
+      # Only one login request per config_delay_id seconds
+      #
+      # @param config_delay_id <string> configuration name for the timeout
+      # @param last_time_attempt <Time> last time this was attempted
+      # @param time_record_set_fn <lambda> callback, setting time on failure
+      #
+      # @return <boolean>
+      def self.timeout?(config_delay_id, last_time_attempt, time_record_set_fn)
+        time = Time.new
+        config = BeEF::Core::Configuration.instance
+        fail_delay = config.get(config_delay_id)
+
+        if (time - last_time_attempt < fail_delay.to_f)
+          time_record_set_fn.call(time)
+          return false
+        end
+
+        return true
+      end
+
    end
  end
 end