0

I am building a web app that will first validate a promotion code via AJAX call and then if it is valid, allow the user to fill out the rest of the form, I use KnockoutJS to reveal and hide the elements.

My issue is, what is stopping a sneaky user from building a code generator and pumping the codes into my ajax endpoint until he gets a valid code? What is the recommended way of stopping this abuse?

PS: In the final step of the form I also validate the promotion code server-side just in case.

Improve this question
2
  • 1
    Do you mean computer-generated codes? Implement a Captcha. Then they'll have to guess the codes by hand, one at a time, and validate the input via Captcha each time. Commented May 12, 2015 at 0:44
  • This is the path I decided to take, normally I dont like captcha but the new nocaptcha recaptcha is not bad actually. Commented May 14, 2015 at 1:26

2 Answers 2

Reset to default
1

You could block the user IP address after few attempts within certain period of time (say if certain IP address sends 10 requests over 1 minutes, then block the IP for 10 minutes.

Improve this answer
0

I'm not sure if this is the best idea, but it's a decent start to prevent brute forcing your validator.

Include a random hash with the original form that has to be passed to the endpoint. Keep a counter in non-persistent storage referencing that hash which expires after some reasonably short timeframe.

Then start returning 503 errors after some threshold is met. Finding the sweet spot is hard, but you want to make it easy for a human, but frustrating for a bad user.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.