From 8c8dd6c9c35ac4dfccee733c784a0975c6262cc3 Mon Sep 17 00:00:00 2001 From: Bucky Wilson Date: Mon, 11 Dec 2017 17:48:40 +1000 Subject: [PATCH] Added auth access time checking Time set on failure, Next request fails if inside configured time: beef.restrictions.api_attempt_delay modified: core/main/rest/handlers/admin.rb --- core/main/rest/handlers/admin.rb | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/core/main/rest/handlers/admin.rb b/core/main/rest/handlers/admin.rb index 23c828137..e84e8793e 100644 --- a/core/main/rest/handlers/admin.rb +++ b/core/main/rest/handlers/admin.rb @@ -10,10 +10,20 @@ module BeEF class Admin < BeEF::Core::Router::Router config = BeEF::Core::Configuration.instance + time_since_last_failed_auth = 0 + before do # error 401 unless params[:token] == config.get('beef.api_token') halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip) + + # halt if requests are inside beef.restrictions.api_attempt_delay + if time_since_last_failed_auth != 0 + halt 401 if not BeEF::Core::Rest.timeout?('beef.restrictions.api_attempt_delay', + time_since_last_failed_auth, + lambda { |time| time_since_last_failed_auth = time}) + end + headers 'Content-Type' => 'application/json; charset=UTF-8', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', @@ -46,6 +56,9 @@ module BeEF # check username and password if not (data['username'].eql? config.get('beef.credentials.user') and data['password'].eql? config.get('beef.credentials.passwd') ) BeEF::Core::Logger.instance.register('Authentication', "User with ip #{request.ip} has failed to authenticate in the application.") + + # failed attempts + time_since_last_failed_auth = Time.now() halt 401 else { "success" => true, @@ -62,4 +75,4 @@ module BeEF end end end -end \ No newline at end of file +end