Vulnerability in EPiServer.Forms
Hi all, we are exploring the option of asking for a captcha code when the end user (or an automated process) enters an invalid coupon code n times.
For this we want to add a property for the base discount classes to let the editors enable or disable the captcha feature.
Have you done something similar? can you share experiences or tips related to this?
Sounds like you need the feature toggle as global rather than a 'base discount classes' one.
Why not have JS track the number of submits without a successful and then conditionally enable captcha?
Handling forms with anti forgery token in a cloudflare/WAF environment should be enough to handle brute force. Cloudflare/WAF already has the system in place to auto block requests if it detects multiple attempt from a single source in a certain timeframe. If you are using Optimizley DXP, handling your form requests and response with form antiforgerytoken and proper response with status code should be enough to handle brute force attacks.
If you are using on-premise enviornment, then you should consider reCaptcha as an option to handle such requests.
If it still gets past the AnitForgeryToken and cloudflare, have you considered implementing honeypot? It's less intrusive (and an additional step for users) like re-captcha but allows you to target spam traffic.