SaaS CMS has officially launched! Learn more now.

Techniques against "brute force" attacks on promotion codes: captcha.


Hi all, we are exploring the option of asking for a captcha code when the end user (or an automated process) enters an invalid coupon code n times. 

For this we want to add a property for the base discount classes to let the editors enable or disable the captcha feature.

Have you done something similar? can you share experiences or tips related to this?


Jan 17, 2022 17:31

Sounds like you need the feature toggle as global rather than a 'base discount classes' one.

Why not have JS track the number of submits without a successful and then conditionally enable captcha?

Jan 27, 2022 15:03

Hi @Celerino,

Handling forms with anti forgery token in a cloudflare/WAF environment should be enough to handle brute force. Cloudflare/WAF already has the system in place to auto block requests if it detects multiple attempt from a single source in a certain timeframe. If you are using Optimizley DXP, handling your form requests and response with form antiforgerytoken and proper response with status code should be enough to handle brute force attacks.

If you are using on-premise enviornment, then you should consider reCaptcha as an option to handle such requests.

~ Sujit

Feb 06, 2022 18:55

If it still gets past the AnitForgeryToken and cloudflare, have you considered implementing honeypot? It's less intrusive (and an additional step for users) like re-captcha but allows you to target spam traffic.

Feb 11, 2022 0:37
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.