Form with CSRF and Postman flooding requests

Hi! i setup a form in Laravel. Im currently using version 8.75. This is the form with CSRF protection

 {{ Form::open(['url' => URL::to('support/download-app'), 'method' => 'POST','autocomplete' => 'off']) }}
  <div class="input-group">
  <input  type="email"  name="email"  />
  <a href="javascript:void(0)" class="js-submit">Submit</a>
 </div>
 {{Form::close()}}

I submit this form using an ajaxSubmit, and it works fine. I found a problem. Using postman i can simulate a user flooding with lots of requests. We can replicate this doing a GET request to the page, then the attacket get the CSRF token and send multiple POST REQUESTS passing the email field and the csrf token. How can i avoid this?

Thanks in advance Mark

gych

2 years ago

Level 29

You have multiple options, below are some examples:

Rate limiting: limit the ip adress to call the post route for example only x amount of times every x minutes.
Implement Captcha on your form
Add honeypot field to your form, bots will fill all the fields in the form. This way you can detect invalid requests when this field is filled in. Spatie has a package for this if you prefer to use that: https://github.com/spatie/laravel-honeypot

1 like

Mrenzi

2 years ago

Level 1

@gych Thanks , i think the solution of using a captcha(recaptcha for example) could be the easyest one. Also the honeypot is really interesting. Thanks

gych

2 years ago

Level 29

@Mrenzi No problem :) Don't forget to close your thread by selecting the best answer, if you have more questions don't hesitate to reach out

jaseofspades88

2 years ago

Level 51

I would advise you free yourself from the shackles of the Form facade and all of its unnecessary evils.

Please or to participate in this conversation.