We have implemented CAPTCHA protection on the password recovery page, but we also need to enforce rate limiting on the password recovery function. This will restrict the number of requests allowed per minute, preventing attackers from sending excessive requests and quickly enumerating a large number of email addresses.
For instance, a user is allowed a maximum of 3 attempts per minute for CAPTCHA validation.
Hmmm…The problem with doing it on the page is going to be that you’ll need some way to identify the person sending the excessive requests, in order to rate limit them. I’m guessing that will probably be by ip address.
You might be better off using something externally to block them, like fail2ban.
Thank you for your response, @ccoulson
I only need to limit the user to clicking the button 3 times within a minute. To achieve this, I implemented a timeout in the code that disables the button for 20 seconds after each click. However, it’s not working as expected because clicking the submit button causes the page to refresh, which is the default behavior of the application.
Could you please assist me with this, or do you have any other suggestions for meeting my requirement?
I actually don’t think disabling the button is going to prevent excessive requests as any such attach would be scripted and would bypass any website ui. Also, any user session is tracked by the browser, so if they wanted to bypass the 20 second delay they could just continuously load the page in a new incognito session.