Giters

maxlerebourg / crowdsec-bouncer-traefik-plugin

Traefik plugin for Crowdsec - WAF and IP protection

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[FEATURE] Support Captcha and Appsec mode at the same time

mathieuHa opened this issue Β· comments

commented

Is your feature request related to a problem? Please describe. πŸ›
Currently, if appsec is enabled, captcha remediation is never called.

if bouncer.appsecEnabled {
        if err := appsecQuery(bouncer, remoteIP, req); err != nil {
                bouncer.log.Debug(fmt.Sprintf("handleNextServeHTTP ip:%s isWaf:true %s", remoteIP, err.Error()))
                handleBanServeHTTP(bouncer, rw)
                return
        }
}

Describe the solution you'd like ✨
If appsec is enabled, it should call handleRemediationServeHTTP which decides what remediation to call (ban or captcha)

However, should we cache that the captcha has been completed by the user ?
If a malicious user completes a captcha manually and then is cached in the allow list and can use auditing tools with no additional checks from appsec.

If we don't cache and appsec returns a false positive on some pages, the user experience would not be great as the user would have to to a captcha each time he visits this one page.

Last solution could be to cache the user IP and the page accessed for instance to get in the middle.

We're open to suggestion on this.