tracker issue : CF-4126664

select a category, or use search below
(searches all categories and all time range)
Title:

ColdFusion Request Throttling For Better Security / Performance

| View in Tracker

Status/Resolution/Reason: Closed/Deferred/EnhancementRequired

Reporter/Name(from Bugbase): Travis Walters / Travis Walters (Travis Walters)

Created: 03/09/2016

Components: Security

Versions: 2016

Failure Type: Unspecified

Found In Build/Fixed In Build: Alpha_v12 /

Priority/Frequency: Minor / Unknown

Locale/System: English / Win All

Vote Count: 0

Hey There,

I was reading over the OWASP Top Ten Security Cheat Sheet found here:
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

I was reading the part where it says "Consider the use of a "governor" to regulate the maximum number of requests per second / minute / hour that this user may perform. For example, a typical banking user should not perform more than ten transactions a minute, and one hundred per second is dangerous and should be blocked."

How about we have some cfapplication variables like sessionMaxRequestsPerSecond, sessionMaxRequestsPerMinute, and sessionMaxRequestsPerHour to set some default request throttling limits. From there, it would be nice to have some functions to update those limits for specific users based upon their sessionid; those functions can be used on pages like a login or registration page where members may have higher throttling limits based on what user type they are associated with. It would also be nice to have a function to disable throttling for a specific user. 

So what happens when a user exceeds a set limit? Should they be banned and if so, for how long - should it be a set limit? Should they just be redirected to some webpage stating that they have exceeded their request limit? 

Perhaps they should be banned if they exceed sessionMaxRequestsPerSecond, sessionMaxRequestsPerMinute, and sessionMaxRequestsPerHour; having said that, maybe we can have a variable like sessionRequestsLimitWarningPercentage where we could set a percentage of the max level to initiate some warning page?

Throttling would be nice especially for websites being attacked by brute force, etc. 

There is probably some way to do this at IIS, Apache, or whatever web server you use but since this version of ColdFusion is focusing on Security issues as one of its main concerns, I thought i would suggest this.

Sincerely,
Travis Walters

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126664

External Customer Info:
External Company:  
External Customer Name: Travis Walters
External Customer Email: TWALTERS84@HOTMAIL.COM
External Test Config:

Attachments:

Comments:

Adding BUG AUDIT TRAIL ********action: updated fieldName: Priority newValue: 1 oldValue: 0 oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2016-02-16 03:15:00.0 action: updated fieldName: Fix By Product Milestone newValue: Gold Master oldValue: Blank oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2016-02-14 15:35:33.0 action: updated fieldName: Fix By Milestone newValue: Gold Master oldValue: Blank oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2016-02-14 15:35:33.0 action: updated fieldName: Owner newValue: Blank oldValue: preethi oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 06:21:23.0 action: updated fieldName: Date Closed newValue: 2015-09-07 23:21:23.0 oldValue: Blank oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 06:21:23.0 action: updated fieldName: Date Deferred newValue: 2015-09-07 23:21:23.0 oldValue: Blank oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 06:21:23.0 action: updated fieldName: Reason newValue: EnhancementRequired oldValue: Blank oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 06:21:23.0 action: updated fieldName: State newValue: Closed oldValue: Open oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 06:21:23.0 action: updated fieldName: Status newValue: Deferred oldValue: Unverified oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 06:21:23.0 action: updated fieldName: Closed By newValue: vmannebo oldValue: Blank oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 06:21:23.0
Comment by CFwatson U.
3557 | March 09, 2016 04:29:39 AM GMT
Added By: PreRelease User User Name:Travis Walters Note Added: Entered Feature. Date Added :2015-07-26 16:32:33.0
Comment by CFwatson U.
3558 | March 09, 2016 04:29:41 AM GMT