public void TestKeyBlacklistingAndWhitelisting()
{
var ip = GetRandomIP();
var key = GetRandomKey();
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(key, ip).Run(),
string.Format("Allow traffic on {0} from {1}", key, ip));
Hacker.BlacklistKeyAsync(key, TimeSpan.FromMinutes(5)).Run();
Assert.AreEqual(
Hacker.Result.KeyBlocked,
Hacker.DefendAsync(key, ip).Run(),
string.Format("Block traffic on {0} from {1}", key, ip));
Assert.AreEqual(
Hacker.Result.KeyBlocked,
Hacker.DefendAsync(key, GetRandomIP()).Run(),
string.Format("Allow any traffic from {1}", key, ip));
Hacker.WhitelistKeyAsync(key).Run();
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(key, ip).Run(),
string.Format("Allow traffic on {0} from {1} after whitelist", key, ip));
}
public void ClearAllHits()
{
Func <string> keyGenerator = () => { return("ClearAllHits" + GetRandomKey()); };
var keys = new List <string>();
var random = new Random((int)DateTime.Now.Ticks);
var startTime = DateTime.Now;
Parallel.For(0, 10,
hit =>
{
var key = keyGenerator();
keys.Add(key);
var hits = 1 + random.Next(Hacker.Config.MaxHitsPerKey - 1);
for (var i = 0; i < hits; i++)
{
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(key, GetRandomIP()).Run(),
"Request must be allowed for a hit on a key");
}
Assert.AreEqual(hits, Hacker.GetHitsForKey(key).Run(),
"Number of hits must be " + hits + " for key: " + key);
});
Hacker.ClearAllHitsAsync().Run();
foreach (var key in keys)
{
Assert.AreEqual(0, Hacker.GetHitsForKey(key).Run(),
"After clearing hits Number of hits must be 0 for key: " + key);
}
}
public void TestOriginBlaclistingAndWhitelisting()
{
var ip = GetRandomIP();
var key = GetRandomKey();
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(key, ip).Run(),
string.Format("Allow traffic on {0} from {1}", key, ip));
Hacker.BlacklistOriginAsync(ip).Run();
Assert.AreEqual(
Hacker.Result.OriginBlocked,
Hacker.DefendAsync(key, ip).Run(),
string.Format("Block traffic on {0} from {1}", key, ip));
Assert.AreEqual(
Hacker.Result.OriginBlocked,
Hacker.DefendAsync(GetRandomKey(), ip).Run(),
string.Format("Allow any traffic from {1}", key, ip));
Hacker.WhitelistOriginAsync(ip).Run();
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(key, ip).Run(),
string.Format("Allow traffic on {0} from {1} after whitelist", key, ip));
}
public void TestKeyCustomHitLimit()
{
Hacker.Config.MaxHitsPerKey = 100;
Hacker.Config.MaxHitsPerOrigin = 100;
Hacker.Config.MaxHitsPerKeyPerOrigin = 100;
var key = "InvalidLogin-" + GetRandomKey();
var ip = GetRandomIP();
var interval = TimeSpan.FromMinutes(1);
var maxHits = 10;
var startTime = DateTime.Now;
Parallel.For(0, maxHits,
hit =>
{
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(key, ip,
interval, maxHits,
TimeSpan.MaxValue, long.MaxValue,
TimeSpan.MaxValue, long.MaxValue).Run(),
"Allow hits on key for custom interval");
});
Assert.AreEqual(
Hacker.Result.TooManyHitsOnKey,
Hacker.DefendAsync(key, ip,
interval, maxHits,
TimeSpan.MaxValue, long.MaxValue,
TimeSpan.MaxValue, long.MaxValue).Run(),
"Must not allow hits on key after custom interval");
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync("InvalidLogin-" + GetRandomKey(), ip,
interval, maxHits,
TimeSpan.MaxValue, long.MaxValue,
TimeSpan.MaxValue, long.MaxValue).Run(),
"Allow hits on different key from same IP");
WaitForIntervalToElapse(interval, startTime);
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(key, ip,
interval, maxHits,
TimeSpan.MaxValue, long.MaxValue,
TimeSpan.MaxValue, long.MaxValue).Run(),
"Allow hits on key for after interval has passed.");
}
public void TestMaxHitsPerOrigin()
{
Hacker.Config.MaxHitsPerKey = 20;
Hacker.Config.MaxHitsPerOrigin = 10;
Hacker.Config.MaxHitsPerKeyPerOrigin = 20;
var ip = GetRandomIP();
Func <string> keyGenerator = () => { return("TestMaxHitsPerOrigin" + GetRandomKey()); };
var startTime = DateTime.Now;
var result = Parallel.For(0, Hacker.Config.MaxHitsPerOrigin,
hit =>
{
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(keyGenerator(), ip).Run()
);
});
while (!result.IsCompleted)
{
Thread.Sleep(100);
}
Assert.AreEqual(
Hacker.Config.MaxHitsPerOrigin,
Hacker.GetHitsFromOrigin(ip).Run(),
"Number of hits recorded must match");
// No more requests from same IP
Assert.AreEqual(
Hacker.Result.TooManyHitsFromOrigin,
Hacker.DefendAsync(keyGenerator(), ip).Run()
);
// Allow requests from other IPs
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(keyGenerator(), GetRandomIP()).Run());
WaitForIntervalToElapse(Hacker.Config.MaxHitsPerOriginInterval, startTime);
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(keyGenerator(), ip).Run(),
"Allow hits from same origin after expiration time."
);
}
//[ValidateAntiForgeryToken]
public async Task <IActionResult> Login(LoginViewModel model, string returnUrl = null)
{
var clientIP = Request.HttpContext.Connection.RemoteIpAddress.MapToIPv4();
return(await Hacker.DefendAsync <IActionResult>(async (success, fail) =>
{
// Don't forget to do this check! We use model.Email for key.
if (string.IsNullOrWhiteSpace(model.Email) || string.IsNullOrWhiteSpace(model.Password))
{
return await fail(View(model));
}
ViewData["ReturnUrl"] = returnUrl;
if (ModelState.IsValid)
{
// This doesn't count login failures towards account lockout
// To enable password failures to trigger account lockout, set lockoutOnFailure: true
var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, lockoutOnFailure: false);
if (result.Succeeded)
{
_logger.LogInformation(1, "User logged in.");
return await success(RedirectToLocal(returnUrl));
}
if (result.RequiresTwoFactor)
{
return await success(RedirectToAction(nameof(SendCode), new { ReturnUrl = returnUrl, RememberMe = model.RememberMe }));
}
if (result.IsLockedOut)
{
_logger.LogWarning(2, "User account locked out.");
return await fail(View("Lockout"));
}
else
{
ModelState.AddModelError(string.Empty, "Invalid login attempt.");
return await fail(View(model));
}
}
// If we got this far, something failed, redisplay form
return await fail(View(model));
},
blocked => {
_logger.LogWarning("Blocked: " + clientIP + " " + model.Email);
return new StatusCodeResult((int)HttpStatusCode.Forbidden);
},
"ValidLogin:"******"InvalidLogin:" + model.Email, 3, TimeSpan.FromMinutes(15),
clientIP));
}
public void TestMaxHitsOnKeyPerOrigin()
{
Hacker.Config.MaxHitsPerKey = 20;
Hacker.Config.MaxHitsPerOrigin = 20;
Hacker.Config.MaxHitsPerKeyPerOrigin = 10;
Func <string> keyGenerator = () => { return("TestMaxHitsOnKeyPerOrigin" + GetRandomKey()); };
var key = keyGenerator();
var ip = GetRandomIP();
var startTime = DateTime.Now;
Parallel.For(0, Hacker.Config.MaxHitsPerKeyPerOrigin,
hit =>
{
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(key, ip).Run(),
"Allow hits on same key and IP");
});
Assert.AreEqual(
Hacker.Config.MaxHitsPerKeyPerOrigin,
Hacker.GetHitsForKey(key).Run(),
"Number of hits recorded must match");
// No more requests from same key and IP
Assert.AreEqual(
Hacker.Result.TooManyHitsOnKeyFromOrigin,
Hacker.DefendAsync(key, ip).Run());
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(keyGenerator(), ip).Run(),
"From different key, same IP, allow");
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(key, GetRandomIP()).Run(),
"From different IP, same key, allow");
WaitForIntervalToElapse(Hacker.Config.MaxHitsPerOriginInterval, startTime);
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(key, ip).Run(),
"Allow hits on same key and IP after expiration");
}
public void TestMaxHitsPerKey()
{
Hacker.Config.MaxHitsPerKey = 10;
Hacker.Config.MaxHitsPerOrigin = 20;
Hacker.Config.MaxHitsPerKeyPerOrigin = 20;
Func <string> keyGenerator = () => { return("TestMaxHitsPerKey" + GetRandomKey()); };
var fixedKey = keyGenerator();
var startTime = DateTime.Now;
Parallel.For(0, Hacker.Config.MaxHitsPerKey,
hit =>
{
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(fixedKey, GetRandomIP()).Run());
});
Assert.AreEqual(
Hacker.Config.MaxHitsPerKey,
Hacker.GetHitsForKey(fixedKey).Run(),
"Number of hits recorded must match");
Assert.AreEqual(
Hacker.Result.TooManyHitsOnKey,
Hacker.DefendAsync(fixedKey, GetRandomIP()).Run());
var ip = GetRandomIP();
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(keyGenerator(), ip).Run(),
"Allow traffic from aonther key on same IP");
WaitForIntervalToElapse(Hacker.Config.MaxHitsPerKeyInterval, startTime);
// Hit from another IP using same key should be allowed
Assert.AreEqual(
Hacker.Result.Allowed,
Hacker.DefendAsync(fixedKey, GetRandomIP()).Run(),
"After expiration time, key must be unblocked");
}
public async Task <ActionResult> LogOn(string username, string password)
{
// This handles load balancers passing the original client IP
// through this header.
// WARNING: If you load balancer is not passing original client IP
// through this header, then you will be blocking your load balancer,
// causing a total outage. Also ensure this Header cannot be spoofed.
var originIP = Request.GetClientIp();
// Don't forget to do this check!
if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(password))
{
TempData[TempDataConstants.ERROR_MESSAGE] = "Invalid username or password";
return(View("~/Views/Account/LogOn.cshtml"));
}
return(await Hacker.DefendAsync <ActionResult>(async (success, fail) =>
{
var user = DataStore.Users.Where(u => u.Username == username &&
u.Password == password).FirstOrDefault();
if (user != null)
{
Session[SessionConstants.USER] = user;
return await success(RedirectToAction("Index", "Home"));
}
else
{
TempData[TempDataConstants.ERROR_MESSAGE] = "Invalid username or password";
return await fail(View("~/Views/Account/LogOn.cshtml"));
}
},
blocked => new HttpStatusCodeResult(HttpStatusCode.Forbidden),
"ValidLogin:"******"InvalidLogin:" + username, MaxInvalidLogin, MaxInvalidLoginInterval,
originIP
));
}
// GET api/values/5
public async Task <IHttpActionResult> Get(int id)
{
var originIP = "0.0.0.1";
var ip = IPAddress.Parse(originIP);
return(await Hacker.DefendAsync <IHttpActionResult>(
async (success, fail) =>
{
if (id == 5)
{
return await success(Ok($"sms for id {id}"));
}
else
{
return await fail(BadRequest($"bad request for id {id}"));
}
},
blocked => new ResponseMessageResult(new HttpResponseMessage(HttpStatusCode.Forbidden)),
validActionKey : "ValidLogin:"******"InvalidLogin:" + id, maxInvalidAttempt : MaxInvalidLogin, invalidAttemptInterval : MaxInvalidLoginInterval,
origin : ip
));
}
public static async Task <Hacker.Result> DefendURL(HttpContext context)
{
Hacker.Result result = Hacker.Result.Allowed;
Stopwatch watch = new Stopwatch();
watch.Start();
if (!Initialized)
{
lock (lockObject)
{
if (!Initialized)
{
Hacker.Logger = new TraceLogger();
Hacker.Logger.LogInformation(ClassName + ' ' + "Initialize");
Hacker.Store = new RedisDefenceStore(HackerSprayConfig.Settings.Redis,
HackerSprayConfig.Settings.Prefix,
Hacker.Config);
Hacker.Logger.LogInformation(ClassName + ' ' + " Initialized");
Initialized = true;
}
}
}
// This handles load balancers passing the original client IP
// through this header.
// WARNING: If your load balancer is not passing original client IP
// through this header, then you will be blocking your load balancer,
// causing a total outage. Also ensure this Header cannot be spoofed.
// Your load balancer should be configured in a way that it does not accept
// this header from the request, instead it always sets it itself.
var originIP = context.Request.GetClientIp();
foreach (var path in HackerSprayConfig.Settings.Paths)
{
if ((path.Post && context.Request.HttpMethod == "POST") ||
(!path.Post && context.Request.HttpMethod == "GET") &&
path.Name == context.Request.Path)
{
Hacker.Logger.LogDebug(ClassName + ' ' + "Path matched: " + context.Request.Path);
if (path.Mode == "key")
{
result = await Hacker.DefendAsync(context.Request.Path, originIP,
path.Interval, path.MaxAttempts,
TimeSpan.MaxValue, long.MaxValue,
TimeSpan.MaxValue, long.MaxValue);
if (result == Hacker.Result.TooManyHitsOnKey)
{
Hacker.Logger.LogInformation(ClassName + ' ' + "TooManyHitsOnKey Blacklist Path: " + context.Request.Path);
await Hacker.BlacklistKeyAsync(path.Name, path.Interval);
}
}
else if (path.Mode == "origin")
{
result = await Hacker.DefendAsync(context.Request.Path, originIP,
TimeSpan.MaxValue, long.MaxValue,
path.Interval, path.MaxAttempts,
TimeSpan.MaxValue, long.MaxValue);
if (result == Hacker.Result.TooManyHitsFromOrigin)
{
Hacker.Logger.LogInformation(ClassName + ' ' + "TooManyHitsFromOrigin Blacklist origin: " + originIP);
await Hacker.BlacklistOriginAsync(originIP, path.Interval);
}
}
else //(path.Mode == "key+origin")
{
result = await Hacker.DefendAsync(context.Request.Path, originIP,
TimeSpan.MaxValue, long.MaxValue,
TimeSpan.MaxValue, long.MaxValue,
path.Interval, path.MaxAttempts);
}
break;
}
}
watch.Stop();
Hacker.Logger.LogDebug(ClassName + ' ' + "DefendURL: " + context.Request.Path + " " + watch.ElapsedMilliseconds);
return(result);
}
public async Task Invoke(HttpContext context)
{
var path = context.Request.Path;
Stopwatch watch = new Stopwatch();
watch.Start();
if (path.HasValue)
{
Debug("Defend Begin: " + path);
// This handles load balancers passing the original client IP
// through this header.
// WARNING: If your load balancer is not passing original client IP
// through this header, then you will be blocking your load balancer,
// causing a total outage. Also ensure this Header cannot be spoofed.
// Your load balancer should be configured in a way that it does not accept
// this header from the request, instead it always sets it itself.
var originIP = context.Connection.RemoteIpAddress;
//if (context.Request.Headers.ContainsKey(XForwardedForHeader))
// originIP = IPAddress.Parse(context.Request.Headers[XForwardedForHeader]).MapToIPv4();
var result = Hacker.Result.Allowed;
foreach (var key in _keys)
{
if (key.Method == context.Request.Method && key.Key == path)
{
Debug("Defend: " + path);
if (key.Mode == HackerSprayOptionKey.HitCountMode.PerKey)
{
result = await Hacker.DefendAsync(path, originIP,
key.Interval, key.MaxAttempts,
TimeSpan.MaxValue, long.MaxValue,
TimeSpan.MaxValue, long.MaxValue);
if (result == Hacker.Result.TooManyHitsOnKey)
{
await Hacker.BlacklistKeyAsync(path, key.Interval);
}
}
else if (key.Mode == HackerSprayOptionKey.HitCountMode.PerOrigin)
{
result = await Hacker.DefendAsync(path, originIP,
TimeSpan.MaxValue, long.MaxValue,
key.Interval, key.MaxAttempts,
TimeSpan.MaxValue, long.MaxValue);
if (result == Hacker.Result.TooManyHitsFromOrigin)
{
await Hacker.BlacklistOriginAsync(originIP, key.Interval);
}
}
else //(key.Item5 == Mode.PerKeyOrigin)
{
result = await Hacker.DefendAsync(path, originIP,
TimeSpan.MaxValue, long.MaxValue,
TimeSpan.MaxValue, long.MaxValue,
key.Interval, key.MaxAttempts);
}
Debug("Defend Result: " + Enum.GetName(typeof(Hacker.Result), result));
break;
}
}
watch.Stop();
Debug("Defend End: " + path + " " + watch.ElapsedMilliseconds);
if (result == Hacker.Result.Allowed)
{
await _next.Invoke(context);
}
else
{
Info("Blocked: " + path);
context.Response.StatusCode = (int)HttpStatusCode.NotAcceptable;
await context.Response.WriteAsync(Enum.GetName(typeof(Hacker.Result), result));
}
//watch.Stop();
//Debug("Finished: " + path + " " + watch.ElapsedMilliseconds);
}
else
{
await _next.Invoke(context);
}
}
public void TestAllowed()
{
var result = Hacker.DefendAsync("TestAllowed" + GetRandomKey(), GetRandomIP()).Run();
Assert.AreEqual(Hacker.Result.Allowed, result);
}
public void TestOriginRangeBlocking()
{
Hacker.ClearBlacklistsAsync().Run();
Hacker.ClearAllHitsAsync().Run();
var ipsInRange = new[] {
IPAddress.Parse("10.10.10.10"),
IPAddress.Parse("10.10.10.11"),
IPAddress.Parse("10.10.254.254"),
IPAddress.Parse("10.11.10.9"),
IPAddress.Parse("10.11.10.10"),
IPAddress.Parse("9.1.1.1"),
IPAddress.Parse("9.1.1.10"),
IPAddress.Parse("9.10.10.9"),
IPAddress.Parse("10.11.10.12"),
IPAddress.Parse("127.254.254.254"),
IPAddress.Parse("100.100.100.100"),
IPAddress.Parse("128.10.10.12"),
IPAddress.Parse("128.10.10.254"),
IPAddress.Parse("128.10.10.128"),
};
var ipsOutofRange = new[] {
IPAddress.Parse("10.10.10.9"),
IPAddress.Parse("9.10.10.10"),
IPAddress.Parse("10.11.10.11"),
IPAddress.Parse("128.10.10.11"),
IPAddress.Parse("200.200.200.200"),
IPAddress.Parse("1.1.1.1"),
IPAddress.Parse("10.0.0.0")
};
Hacker.BlacklistOriginAsync(IPAddress.Parse("10.10.10.10"), IPAddress.Parse("10.11.10.10")).Run();
Hacker.BlacklistOriginAsync(IPAddress.Parse("9.1.1.1"), IPAddress.Parse("9.10.10.9")).Run();
Hacker.BlacklistOriginAsync(IPAddress.Parse("10.11.10.12"), IPAddress.Parse("127.254.254.254")).Run();
Hacker.BlacklistOriginAsync(IPAddress.Parse("128.10.10.12"), IPAddress.Parse("128.10.10.254")).Run();
Array.ForEach(ipsInRange, ip =>
Assert.AreEqual(Hacker.Result.OriginBlocked,
Hacker.DefendAsync("TestOriginRangeBlocking", ip).Run(),
ip.ToString() + " must be blocked."));
Hacker.ClearAllHitsAsync().Run();
Array.ForEach(ipsOutofRange, ip =>
Assert.AreEqual(Hacker.Result.Allowed,
Hacker.DefendAsync("TestOriginRangeBlocking", ip).Run(),
ip.ToString() + " must be allowed"));
Hacker.WhitelistOriginAsync(IPAddress.Parse("9.1.1.1"), IPAddress.Parse("9.10.10.9")).Run();
Array.ForEach(new[]
{
IPAddress.Parse("9.1.1.1"),
IPAddress.Parse("9.1.1.10"),
IPAddress.Parse("9.10.10.9")
},
ip =>
Assert.AreEqual(Hacker.Result.Allowed,
Hacker.DefendAsync("TestOriginRangeBlocking", ip).Run(),
ip.ToString() + " must be allowed"));
Hacker.ClearBlacklistsAsync().Run();
Hacker.ClearAllHitsAsync().Run();
Array.ForEach(ipsInRange, ip =>
Assert.AreEqual(Hacker.Result.Allowed,
Hacker.DefendAsync("TestOriginRangeBlocking", ip).Run(),
ip.ToString() + " must be allowed when there's no blacklisting."));
Hacker.ClearAllHitsAsync().Run();
Array.ForEach(ipsOutofRange, ip =>
Assert.AreEqual(Hacker.Result.Allowed,
Hacker.DefendAsync("TestOriginRangeBlocking", ip).Run(),
ip.ToString() + " must be allowed when there's no blacklisting"));
}
