Thursday, May 21, 2009

Enhance website security with ASP.NET AJAX NoBot Control

It has been a common security attack to bombard a site with (n) number of requests per second. This type of attach will reduce the server response time and will make the system less usable. There are various mechanisms to prevent such attacks, one of them is the CAPTCHA security implementation. When using CAPTCHA security, the user (human) has to enter the code that appears on the image shown (see figure-1 below). The image may show a code, an arithmetic calculation etc.Thus the automated programs will not be able to enter the exact CAPTCHA code and will prevent unwanted requests to the website.

Figure -1

The NoBot Control

NoBot is an ASP.NET Ajax control that provides a CAPTCHA like security without any human intervention. The NoBot control provides a no human interaction security with simple JavaScript and server side logic. NoBot employs a few different anti-bot techniques:

  • Forcing the client's browser to perform a configurable JavaScript calculation and verifying the result as part of the postback. (Ex: the calculation may be a simple numeric one, or may also involve the DOM for added assurance that a browser is involved)
  • Enforcing a configurable delay between when a form is requested and when it can be posted back. (Ex: a human is unlikely to complete a form in less than two seconds)
  • Enforcing a configurable limit to the number of acceptable requests per IP address per unit of time. (Ex: a human is unlikely to submit the same form more than five times in one minute)
Courtsey: www.asp.net

The NoBot control can be initialized as shown below:

<ajaxToolkit:NoBot
ID="NoBotForLoginPage"
runat="server"
OnGenerateChallengeAndResponse="CustomChallengeResponse"
ResponseMinimumDelaySeconds="2"
CutoffWindowSeconds="60"
CutoffMaximumInstances="5" />

The properties in italics are optional.
  • OnGenerateChallengeAndResponse - [Optional] EventHandler providing implementation of the challenge/response code
  • ResponseMinimumDelaySeconds - [Optional] Minimum number of seconds before which a response (postback) is considered valid
  • CutoffWindowSeconds - [Optional] Number of seconds specifying the length of the cutoff window that tracks previous postbacks from each IP address
  • CutoffMaximumInstances - [Optional] Maximum number of postbacks to allow by a single IP addresses within the cutoff window

A short video showing the usage of the NoBot control is given below:

Install Silverlight

Hope this helps you prevent unauthorized access..
Be secure.. Be safe!

2 comments:

Vinil said...

Hello,
i want to block my project at first so that no one can view it nor can navigate to other pages intentionally.and after successful logging ,one an navigate throughout the website.kindly mail me your response to my id
vinci141@gmail.com

Pravesh Singh said...

Very informative post. Its really helpful for me and beginner too. Check out this link too its also having a nice post with wonderful explanation on Ajax Toolkit NoBot control in ASP.Net...
http://mindstick.com/Articles/019e816a-4331-4cd2-bdb0-7da690b0cfea/?Ajax%20Toolkit%20NoBot%20Control%20in%20ASP.Net

Thanks

Post a Comment