使用图形验证码

AWS WAF是否支持captcha验证, 使用场景如下:

  • 保护某些敏感页面。例如/admin,/login

  • 对某些国家的请求进行图形验证码认证

  • 限制频率,比如每分钟访问频率超过N次则触发验证码机制

其他规则也可以根据需求自定义

假如公司网站上有一个简单的 Web 表单,允许用户订购该公司的软件。我们要保护该表单免遭机器人提交,同时仍然为网站访问者提供填写表单和订购的简单选项。

我们将使用AWS WAF Captcha 功能以确保只有正常用户才能访问托管在/form.php 的表单。一旦用户解决了验证码挑战,他们应该有 15 分钟的时间填写并提交表格。

操作

为WebACL添加一条自定义规则:

image-20240101225616962

规则详情

  1. 规则类型:Rule builder
  2. 名称:captcha-form
  3. 类型:regular rule

image-20240101225704133

当请求match statement时:

  1. 检查:URI 路径
  2. 匹配类型:完全匹配字符串
  3. 要匹配的字符串:/form.php
  4. 文本转换:

image-20240101225751288

然后操作选择captcha

  1. 选中Set a custom immunity time for this rule
  2. 免疫时间:900
  3. 点击页面底部的添加规则

image-20240101230306075

在网页中访问form.php, 然后将看到一个页面,要求您确认您是人类。单击开始:

image-20240101230439925

显示captcha,需要进行验证:

image-20240101230535175

验证成功后,会有提示:

image-20240101230549860

然后将被重定向到表单页面:

image-20240101230652477

如果我们使用curl直接访问form.php会返回405:

image-20240101230814256

结果中包含:

<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>Human Verification</title>
    <style>
        body {
            font-family: "Arial";
        }
    </style>
    <script type="text/javascript">
    window.awsWafCookieDomainList = [];
    window.gokuProps = {
"key":"AQIDAHjcYu/GjX+QlghicBgQ/7bFaQZ+m5FKCMDnO+vTbNg96AEXzte4brnDnSysJrxEPhBnAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMyICkOyAVzcQNGCS1AgEQgDtvte97S/wtNehvevDJYkfJW1iWY0xpwfFJSmbINPA6xdkhSr+OXqm5DY0Egmf87eU6gv2F8lRmoT8v7A==",
          "iv":"CgAA2DJfksAAAAIC",
          "context":"TyRj3ETe441K3EOgAerPS2d7ngTTtQT08QBNmC6xFa4MlU0qXl4psuGGNHeyXX3dajnClYpnqxYr2odW1v1bzIppXc97ouwyKgAUCgNYQ1f+xge/bgU8Zgw9aFaR4c1QuIa5+iEXr5M2Wd7TqsZqCQGpf3bwiJVIZWRfdoeQLdSYZ0L2ez/4gJuxzcswSJnyoZoLC/IX+2XshY4zTrnSTTtp6e6qBHnZ7wuPuhuMYAluN5WweuyDOI3Bz4Xs6nspU5adfAnlRTglQ5e6BTEUhJqJI7osY5LILhglv0d/K32LB73etvcQ1gBKXBQHOAYTzZosuABnj7eaS83CFsjea2f3ZKAvm8IyEQ=="
};
    </script>
    <script src="https://d38beae4b2e0.8d80c9ff.us-east-1.token.awswaf.com/d38beae4b2e0/f4b47a4f1dd9/3b5ade700223/challenge.js"></script>
    <script src="https://d38beae4b2e0.8d80c9ff.us-east-1.captcha.awswaf.com/d38beae4b2e0/f4b47a4f1dd9/3b5ade700223/captcha.js"></script>
</head>
<body>
    <div id="captcha-container"></div>
    <script type="text/javascript">
        AwsWafIntegration.saveReferrer();
        window.addEventListener("load", function() {
          const container = document.querySelector("#captcha-container");
          CaptchaScript.renderCaptcha(container, async (voucher) => {
              await ChallengeScript.submitCaptcha(voucher);
              window.location.reload(true);
          }
      );
    });
    </script>
    <noscript>
        <h1>JavaScript is disabled</h1>
        In order to continue, you need to verify that you're not a robot by solving a CAPTCHA puzzle.
         The CAPTCHA puzzle requires JavaScript. Enable JavaScript and then reload the page.
    </noscript>

参考:

https://docs.aws.amazon.com/waf/latest/developerguide/waf-captcha-challenge.html