From a538a9ebd53d588e071ca03d0e0a0ea5a7ea1f88 Mon Sep 17 00:00:00 2001
From: Bucky Wilson <wanton1950@gmail.com>
Date: Fri, 24 Nov 2017 17:00:58 +1000
Subject: [PATCH] 1333: Rate Limit API - 1 in user defined value

Allow api connection every api_attempt_delay milliseconds.
Currently 50 mSec

Uses the same process as ui/admin rate limiting.

Changes to be committed:
	modified:   config.yaml
	modified:   core/main/rest/api.rb
	modified:   core/main/router/router.rb
---
 config.yaml                |  2 ++
 core/main/rest/api.rb      | 27 ++++++++++++++++++++++++++-
 core/main/router/router.rb |  8 ++++++++
 3 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/config.yaml b/config.yaml
index dabbbf6af..1d03e756f 100644
--- a/config.yaml
+++ b/config.yaml
@@ -27,6 +27,8 @@ beef:
         # subnet of IP addresses that can connect to the admin UI
         #permitted_ui_subnet: "127.0.0.1/32"
         permitted_ui_subnet: "0.0.0.0/0"
+        # slow API calls to 1 every  api_attempt_delay  seconds
+        api_attempt_delay: "0.05"
 
     # HTTP server
     http:
diff --git a/core/main/rest/api.rb b/core/main/rest/api.rb
index 1b046a3b0..ae8754742 100644
--- a/core/main/rest/api.rb
+++ b/core/main/rest/api.rb
@@ -63,7 +63,7 @@ module BeEF
       # This is from extensions/admin_ui/controllers/authentication/authentication.rb
       #
       def self.permitted_source?(ip)
-        # get permitted subnet 
+        # get permitted subnet
         permitted_ui_subnet = BeEF::Core::Configuration.instance.get("beef.restrictions.permitted_ui_subnet")
         target_network = IPAddr.new(permitted_ui_subnet)
 
@@ -74,6 +74,31 @@ module BeEF
         return target_network.include?(ip)
       end
 
+      #
+      # Rate limit through timeout
+      # This is from extensions/admin_ui/controllers/authentication/
+      #
+      # Brute Force Mitigation
+      # Only one login request per config_delay_id seconds
+      #
+      # @param config_delay_id <string> configuration name for the timeout
+      # @param last_time_attempt <Time> last time this was attempted
+      # @param time_record_set_fn <lambda> callback, setting time on failure
+      #
+      # @return <boolean>
+      def self.timeout?(config_delay_id, last_time_attempt, time_record_set_fn)
+        time = Time.new
+        config = BeEF::Core::Configuration.instance
+        fail_delay = config.get(config_delay_id)
+
+        if (time - last_time_attempt < fail_delay.to_f)
+          time_record_set_fn.call(time)
+          return false
+        end
+
+        return true
+      end
+
     end
   end
 end
diff --git a/core/main/router/router.rb b/core/main/router/router.rb
index d7f6050bf..6dac7ab6f 100644
--- a/core/main/router/router.rb
+++ b/core/main/router/router.rb
@@ -17,6 +17,8 @@ module BeEF
           set :show_exceptions, false
         end
 
+        last_attempt_time = Time.new
+
         # @note Override default 404 HTTP response
         not_found do
           if config.get("beef.http.web_server_imitation.enable")
@@ -88,6 +90,12 @@ module BeEF
         end
 
         before do
+          # Rate limit calls to 1 in beef.restrictions.api_attempt_delay seconds
+          halt 401 if not BeEF::Core::Rest.timeout?('beef.restrictions.api_attempt_delay',
+                                                    last_attempt_time,
+                                                    lambda { |time| time = time})
+          last_attempt_time = Time.now                 # set the time of the last successful response
+
           # @note Override Server HTTP response header
           if config.get("beef.http.web_server_imitation.enable")
             type = config.get("beef.http.web_server_imitation.type")