Developer forum

Hi Lars

If the same value is in the form more than 3 times, it will ban i earlier versions. In later version you collect points for 'viloations' and if your score is high enough, you get banned. So if the only violation you have on a form is too many times the same value, you do not get banned in new versions.

In the version you already have you are able to increase the number of times the same IP can submit forms - simply change the value in settings, web&http, security - set it to i.e. 1000.

So it seems to be only the same value issue that would qualify for an upgrade - or maybe change the form to not collect i.e. the same mail address so many times - seems a little redundant anyways.

You can also disable ip-banning for SQL-injection - that will also prevent them from being banned - but they will still receive a 404 when submitting 'bad' forms...

BR Nicolai

Hi Nicolai

Thanks for clearifying. We had already increased the number of times a form can be submitted from the same ip. And removed "Repeat your e-mail" fields.

But what about an option for whitelistening ip's in order to avoid blocking?

Yes, we could add a whitelist... But it is also a security breach in it self - since you can semi spoof bad requests by adding fake x-forwarded-for headers to requests. So enabling whitelists of IPs would potentially open a door for clever hackers... It could be implemented in a way though, that IP will not be banned, but the request would be stopped anyways.

Comments?

BR Nicolai

Hi Nicolai

If a whitelisted IP do not get banned but subsequent requests just blocked (resulting in an email notification), that would be an OK solution. Better than the way it works at the moment.

Hi,

Did this whitelist ever become a feature request, and if so, for what version?

Kind regards

Mikkel Ulstrup

Not yet. But we are not really fans of that options - it is a security breach, it is a bad fix for something which is not right and it will be used by "security" companies to give us fail reports...

This should not happen for your users - if it does, it is because they do something they should not - or if you have a specific scenario where some 'bad' date is sent to DW by design. The latter can be handled by adding the name of that field/key/cookie to the list of ignored fields.

BR Nicolai

Understandably.

Maybe some additional information in the bannedIp log then. As it is, we can see that they got banned, and sometimes it shows the reason. Maybe we can get information about what was submitted in the form, which form it was etc.?

Our customers can't relate to "some security parameters were met, and so they got blocked". Specially if it is their customers (and sometimes known customers) getting blocked.

Might also help reporting to you, if some values get caught in the spam filter, that shouldn't have.

Kind regards

Mikkel Ulstrup

Yes - the eventviewer contains more information and in 9.7 it also have the URL. It is not just forms that causes this - it can be any request. The eventviewer contains information on the key (in request.form/querystring/header/cookie) and value that was blocked by what expression in injection checks.

You can setup Dynamciweb to receive an email when some IP is blocked and you can see exactly what was in the request and in what page.

Great, we will look into this. Thank you!