How to delay a response in Classic ASP

ε祈祈猫儿з 提交于 2021-01-27 03:52:53

问题


I have a site running Classic-ASP and on the login page I would like to delay the response to a failed login attempt (by like 10 seconds) to help prevent brute force attacks on accounts.

Quick google searches show some hacks using SQL server queries that seem hack-tastic.

Is there a good way to do this in classic asp?


回答1:


I am not going to answer your specific question, as many have already done so, but there are far better ways of preventing brute force attacks.

For instance:

  1. Why not lock a specific session or IP address out after say 5 (being generous here) failed login attempts? You could lock it out for say 10 minutes. You could even write a "401 Unauthorized" HTTP status and then simply end the response with Response.End.
  2. In a similar fashion, but not even linked to failed logins, you could block requests for the login page more than X times in Y seconds for a specific IP, UserAgent and other client features - ensuring kind of a 'unique' client.
  3. Ignore IP address (it is easily spoofed and can be a proxy server IP), and simply detect the automation of the login attempt. X number of failed logins within Y seconds for a specific username/email address, block it for that username for a set period of time, and end the response.

Just saying there are other options than putting unnecessary load on your server by locking some resources and waiting.

Obviously, doing this at the hardware layer - firewalls etc. would be the preferred option.




回答2:


There is another approach, but keep in mind the aforementioned caveats about unessecarily consumed resources. Here is an approach though

Sub DelayResponse(numberOfseconds)
 Dim WshShell
 Set WshShell=Server.CreateObject("WScript.Shell")
 WshShell.Run "waitfor /T " & numberOfSecond & "SignalThatWontHappen", , True
End Sub



回答3:


There is the WScript.Sleep method for general purpose VBScript, however, this won't work in the context of ASP.

There are a number of other mechanisms you can use to achieve this, however, they're all effectively "workarounds" as there's no built-in way to cleanly cause an ASP page (running VBScript) to pause itself.

See here:

How do I make my ASP page pause or 'sleep'?

To specifically answer your question of:

Is there a good way to do this in classic asp?

No. There's no good way to do this, and there's only the "hack-tastic" hacks that can be used, however they bring with them all sorts of side-effects and caveats. (See the last part of the "How do I make my ASP page pause or 'sleep'?" link for a specific memory eating, page faulting nasty side-effect.)




回答4:


There is no simple way to do so in pure ASP.
Either SQL WAITFOR, or create simple ActiveX component in VB (or anything) that sleeps.
Note that this will increase load on the server. Sleeping requests keep memory and connections consumed for nothing.




回答5:


You can use :

<html>
<head>
    <title>Sleep</title>
</head>
<body>
    <% 

        function Sleep(seconds)
            set oShell = CreateObject("Wscript.Shell")
            cmd = "%COMSPEC% /c timeout " & seconds & " /nobreak"
            oShell.Run cmd,0,1
        End function

        Sleep(5)

        response.write("End") 
    %>
</body>
</html>



回答6:


<%
 set shell = CreateObject("WScript.Shell")


 t1 = timer()
 sleep(5)
 t2 = timer()

 response.write "waited "& t2-t1 &" secs"


 function sleep(seconds)
    if seconds>=1 then shell.popup "pausing",seconds,"pause",64
 end function
%>



回答7:


Other approach to avoid brute force attacks without using IP restrictions is to offer a captcha after the second fail attempt for the same user. This is the way Google do it.




回答8:


There is the Response.Buffer option that you can use to tell it to delay returning the response until the page has completed processing, so you could perhaps combine that with some kind of timeout in the script, but it would not be especially elegant especially as VBScript doesn't really offer you a way of asking threads to sleep so you can end up thrashing the CPU.

Maybe better to use a server-side session and javascript on the client, so the client delays the request and the server will only send the response after the expected delay is over. That should provide some server-side safeguards and be useable for users who aren't trying to mess around with your system...




回答9:


I'm using this:

function sleep(scs)
    Dim lo_wsh, ls_cmd
    Set lo_wsh = CreateObject( "WScript.Shell" )
    ls_cmd = "%COMSPEC% /c ping -n " & 1 + scs & " 127.0.0.1>nul"
    lo_wsh.Run ls_cmd, 0, True 
End Function

sleep(5) 'wait for 5 seconds

Bye :-)




回答10:


For those using MySQL, you can do the following :

Sub SleepMysql(n)

    'Define Query
    Dim SqlStr : SqlStr = "DO SLEEP(" & n & ")"

    'Run Query
    Dim rsTemp : Set rsTemp = YourDatabaseConnection.Execute(SqlStr)

    'Release resources
    Set rsTemp = Nothing

End Sub 'SleepMysql



回答11:


In response to the “delay the response” part of your question:

dim SecondsToWait : SecondsToWait = 4
dim StartTime : StartTime = Time()
Do Until
   DateDiff("s", StartTime, Time(), 0, 0) > SecondsToWait
Loop

Pure Classic ASP without SQL and WScript Shell, but for debug delay purposes only. This is a snippet for testing (very helupful), but it does not address the “good way” part of your question ;-)

This answer for the sake of completeness and for people looking for (debug) delays. Failed login attempts should not be handled like this.




回答12:


Another way you can delay asp response by using this code.

Sub MyDelay(NumberOfSeconds)
Dim DateTimeResume
DateTimeResume= DateAdd("s", NumberOfSeconds, Now())
Do Until (Now() > DateTimeResume)
Loop
End Sub

Call this function by using this code.

Call MyDelay(5)



回答13:


Just redirect to a randomly named large image that takes the desired amount of seconds to load.



来源:https://stackoverflow.com/questions/2237393/how-to-delay-a-response-in-classic-asp

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!