Question - How many request needed to trigger 'TooManyRequestsException'?

[surrealzerg]

Thanks for your reply to my other issue. This is a follow up question.

How many is too many?
In practice, I've never hit it. I've shot 300 login requests at it using BurpSuite Professional's Intruder tool with an invalid password, followed by a valid password. The final request was successful, and the user was logged in. That's an "account lockout" security finding everywhere I've worked.

I'd like to better understand how this is expected to work, so that I can perform a test against it to ensure it is working like that - then modify my implementation to throw this request more easily on a login.

Currently, I just went to cloudflare WAF and set a rate limit on the endpoints I use for the auth object.

[ocram]

Thanks!

The limits should actually be like this for logging in:

• 500 attempts per email address or username per day
• 20 attempts per IP address in the first hour, then 4 attempts per hour

Is this not what happens for you? Can you not reproduce these limits? With what combination of email/username/IP do you get to 300 attempts?

[surrealzerg]

I'm testing against only a single email address - each login request is against the same user and coming from the same IP address. The test environment has no load balancer and no cloudflare, just straight to the origin host. I'm using a single thread to send login requests to ensure the correct password is sent at the end. Burp Suite Professional's Intruder is used to automate sending the requests. Each request is basically a POST to /login.php and sends the email and password in the POST body.

Confirming the below behavior:
300 invalid login requests followed by a valid login request -> User is successfully logged in. I never received a TooManyRequestsException. The attack was completed within 2 minutes.

500 invalid login requests followed by a valid login request -> User is successfully logged in. I never received a TooManyRequestsException. The attack was completed within 3 minutes 30 seconds.

Pretty much what my login.php is doing:

try{
$authPrimary->login($_POST['email'], $_POST['password']);
}
catch (\Delight\Auth\InvalidEmailException $e) {
echo "<script>document.location="https://site.com/login.php?invalid\"</script>";
}
catch (\Delight\Auth\InvalidPasswordException $e) {
echo "<script>document.location="https://site.com/login.php?invalid\"</script>";
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
echo "<script>document.location="https://site.com/login.php?invalid\"</script>";
}
catch (\Delight\Auth\TooManyRequestsException $e) {
echo "<script>alert("You are sending requests too quickly.")</script>"; // never happens
}

[ocram]

Thanks for running your tests on this!

1. Could you try something like 510 requests instead of exactly 500?
2. In the try block, can you output some message indicating success as well, and check for that as the success condition – instead of “not seeing TooManyRequestsException”?
3. Can you show how that exact instance of Auth for $authPrimary is instantiated?