Description
ActiveHashcash protects Rails applications against bots and brute force attacks without annoying humans.
Hashcash is proof-of-work algorithm, invented by Adam Back in 1997, to protect systems against denial of service attacks. ActiveHashcash is an easy way to protect any Rails application against brute force attacks and bots.
The idea is to force clients to spend some time to solve a hard problem that is very easy to verify for the server. We have developped ActiveHashcash after seeing brute force attacks against our Rails application monitoring service RorVsWild.
ActiveHashcash is ideal to set up on sensitive forms such as login and registration.
While the user is filling the form, the problem is solved in JavaScript and set the result into a hidden input text. The form cannot be submitted while the proof of work has not been found. Then the user submits the form, and the stamp is verified by the controller in a before action.
ActiveHashcash alternatives and similar gems
Based on the "Security" category.
Alternatively, view active_hashcash alternatives based on common mentions on social networks and blogs.
-
Bearer
Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks. -
Hashids
A small Ruby gem to generate YouTube-like hashes from one or many numbers. Use hashids when you do not want to expose your database ids to the user. -
Ronin
Ronin is a Free and Open Source Ruby Toolkit for Security Research and Development. Ronin also allows for the rapid development and distribution of code, exploits, payloads, etc, via 3rd party git repositories. -
Rack::UTF8Sanitizer
Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters in request URI and headers. -
ronin-vulns
Tests URLs for Local File Inclusion (LFI), Remote File Inclusion (RFI), SQL injection (SQLi), and Cross Site Scripting (XSS), Server Side Template Injection (SSTI), and Open Redirects. -
TSS - Threshold Secret Sharing
A Ruby implementation of Threshold Secret Sharing (Shamir) as defined in IETF Internet-Draft draft-mcgrew-tss-03.txt -
sessionKeys
A tool for the deterministic generation of unique user IDs, and NaCl cryptographic keys from a single username and high entropy passphrase. -
Rack::ContentSecurityPolicy
DISCONTINUED. Rack middleware for declaratively setting the HTTP ContentSecurityPolicy (W3C CSP Level 2/3) security header to help prevent against XSS and other browser based attacks.
InfluxDB - Power Real-Time Data Analytics at Scale
* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest.
Do you think we are missing an alternative of ActiveHashcash or a related project?
README
ActiveHashcash
ActiveHashcash protects your Rails application against brute force attacks, DoS and bots.
Hashcash is proof-of-work algorithm, invented by Adam Back in 1997, to protect systems against denial of service attacks. ActiveHashcash is an easy way to protect any Rails application against brute force attacks and some bots.
The idea is to force clients to spend some time to solve a hard problem that is very easy to verify for the server. We have developped ActiveHashcash after seeing brute force attacks against our Rails application monitoring service RorVsWild.
The idea is to enable ActiveHashcash on sensitive forms such as login and registration. While the user is filling the form, ActiveHashcash performs the work in JavaScript and set the result into a hidden input text. The form cannot be submitted while the proof of work has not been found. The user submits the form, and the stamp is verified by the controller in a before action.
It blocks bots that do not interpret JavaScript since the proof of work is not computed. For the more sophisticated bots, we are happy to slow them down.
Here is a demo on a registration form :
[Active Hashcash GIF preview](demo.gif)
Limitations
The JavaScript implementation is 10 to 20 times slower than the official C version. It needs some work and knowledges to be optimised. Unfortunately, I'm not a JavaScript expert. Maybe you have good JS skills to optimize it ?
Installation
Add this line to your application's Gemfile:
gem "active_hashcash"
Require hashcash from your JavaScript manifest.
//= require hashcash
Add a Hashcash hidden field into the form you want to protect.
<form>
<%= hashcash_hidden_field_tag %>
</form>
Then you have to define a before_action :check_hashcash
in you controller.
class SessionController < ApplicationController
include ActiveHashcash
# Only the action receiving the form needs to be protected
before_action :check_hashcash, only: :create
end
To customize some behaviour, you can override most of the methods which begins with hashcash_
.
Simply have a look to active_hashcash.rb
.
You must have Redis in order to prevent double spent stamps. Otherwise it will be useless.
It automatically tries to connect with the environement variables ACTIVE_HASHCASH_REDIS_URL
or REDIS_URL
.
You can also manually set the URL with ActiveHashcash.redis_url = redis://user:password@localhost:6379
.
You should call ActiveHashcash::Store#clean
once a day, to remove expired stamps.
Complexity
Complexity is the most important parameter. By default its value is 20 and requires most of the time 5 to 20 seconds to be solved on a decent laptop. The user won't wait that long, since he needs to fill the form while the problem is solving. Howevever, if your application includes people with slow and old devices, then consider lowering this value, to 16 or 18.
You can change the complexity, either with ActiveHashcash.bits = 20
or by overriding the method hashcash_bits
in you controller.
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/active_hashcash.
License
The gem is available as open source under the terms of the MIT License.
Made by Alexis Bernard at Base Secrète.
*Note that all licence references and agreements mentioned in the ActiveHashcash README section above
are relevant to that project's source code only.