AI OnAI Off
Techniques against "brute force" attacks on promotion codes: captcha.
Sounds like you need the feature toggle as global rather than a 'base discount classes' one.
Why not have JS track the number of submits without a successful and then conditionally enable captcha?
Jan 27, 2022 15:03
Hi @Celerino,
Handling forms with anti forgery token in a cloudflare/WAF environment should be enough to handle brute force. Cloudflare/WAF already has the system in place to auto block requests if it detects multiple attempt from a single source in a certain timeframe. If you are using Optimizley DXP, handling your form requests and response with form antiforgerytoken and proper response with status code should be enough to handle brute force attacks.
If you are using on-premise enviornment, then you should consider reCaptcha as an option to handle such requests.
~ Sujit
Feb 06, 2022 18:55
If it still gets past the AnitForgeryToken and cloudflare, have you considered implementing honeypot? It's less intrusive (and an additional step for users) like re-captcha but allows you to target spam traffic.
https://stackoverflow.com/questions/36227376/better-honeypot-implementation-form-anti-spam
Feb 11, 2022 0:37
Hi all, we are exploring the option of asking for a captcha code when the end user (or an automated process) enters an invalid coupon code n times.
For this we want to add a property for the base discount classes to let the editors enable or disable the captcha feature.
Have you done something similar? can you share experiences or tips related to this?
Thanks.