Replay attacks

[florian-milky]

I've been considering using BotD to mitigate malicious attacks such as card testing.
IMO BotD can be an alternative to Captcha.
What I am missing from the docs is that I would like to prevent a potential attacker to generate a legit requestId and then use this requestId in every API call.
Google captcha for example lets you use the request token only once with a validity of 2 minutes.
See their docs:

Each reCAPTCHA user response token is valid for two minutes, and can only be verified once to prevent replay attacks. If you need a new token, you can re-run the reCAPTCHA verification.

Is this something that could be in your roadmap?

[Romchela]

Hi @florian-milky,
Could you clarify your suggestion, please?
The current flow of our product is that you insert BotD script in your website and receive requestId for each user visit, then you can pass this value with every API call of your app and verify the result on your backend. Or you are about a token validity (expiring after 2 minutes and can be used only once)?

[florian-milky]

Hi @Romchela,
Let me explain my use case better.
I want to protect a specific API endpoint against some kind of brute force attack. The attacker would hit the endpoint directly.
I've done a hackfix that is just adding some hash to the request from the website so I know it's coming from there and the endpoint does not work if hit directly (or the attacker reverse engineered my hack).
Now if the attacker was to use some headless browser I would be in trouble, because the request would come from the actual website, right?
In that situation, the solution is to make sure your user is human, right? So far the main solution is to add a captcha, which I would like to avoid.
BotD is interesting because it looks like an alternative (not sure how it works compared to google invisible captcha though), however it lacks protection against replay attacks.
As an attacker, you could visit the website, capture the legit request ID, and then tweak your attack so you hit the endpoint directly with this legit request ID for all endpoint requests.
Google captcha prevents this because it invalidates the request ID once it has been verified (on top of 2 minutes expiring lifetime).
Basically I would like higher protection on specific endpoints rather than light protection on my API as a whole (like captcha)

[Romchela]

Got it. We've already thought about this kind of attack but didn't have time to implement this. I will ping you when we found a solution. Thanks!

[Romchela]

@florian-milky we introduced verifyCounter field in response which shows you number of calls /verify method for the request id. You can forbid requests where value more than 1.

[florian-milky]

Excellent! I'll check it out. Thanks for the update :)