How to test my Ruby on Rails website against brute force properly?

2018-06-07 00:59:58

I placed a honeypot captcha on my website and I wanted to test it against a brute force attack. So I run Hydra brute force tool using a password list with my actual password in it. Hydra doesn't end up finding the password on my site.
I try Medusa and Ncrack and they don't seem to work well either. I noticed that these programs seem to want a file extension such as www.website.com/login.php instead of just a www.website.com/login directory. Does Rails actually serve an extension in the url? .html, .rb, or anything like that?
This seems like a good thing to me but I know that there is something out there that can run a brute force. I am curious as to how my login page will hold up since I am not running Devise to restrict login attempts.

如果你熟悉使用rspec，selenium，水豚等webkit进行测试，下面是我简单思考的例子：

scenario 'test brute force' do
  usernames = File.readlines('data/usernames.txt')
  passwords = File.readlines('data/passwords.txt')

  usernames.each do |username|
    passwords.each do |password|
      visit customer_login_path
      fill_in('Username', with: username.gsub(/n|r/,''))
      fill_in('Password', with: password.gsub(/n|r/,''))
      click_button('Login')
      expect(page).to have_css('.alert.in.alert-danger', text: 'Username or password is invalid')
    end
  end
end

链接地址: http://www.djcxy.com/p/21664.html

上一篇: 为网站实施“记住我”的最佳方式是什么？

下一篇: 如何正确测试我的Ruby on Rails网站上的暴力？