Skip to content

Create Bot_Management_and_Anti-Automation_Cheat_Sheet.md#2148

Merged
jmanico merged 3 commits intoOWASP:masterfrom
KadirArslan:bot-management
May 6, 2026
Merged

Create Bot_Management_and_Anti-Automation_Cheat_Sheet.md#2148
jmanico merged 3 commits intoOWASP:masterfrom
KadirArslan:bot-management

Conversation

@KadirArslan
Copy link
Copy Markdown
Contributor

@KadirArslan KadirArslan commented Apr 30, 2026

This PR contains new CS related to the Bot management.
Bots and AI traffics increased hugely. That's why I thought that It would be great to have single, actionable doc.

Please make sure that for your contribution:

  • In case of a new Cheat Sheet, you have used the Cheat Sheet template.
  • All the markdown files do not raise any validation policy violation, see the policy.
  • All the markdown files follow these format rules.
  • All your assets are stored in the assets folder.
  • All the images used are in the PNG format.
  • Any references to websites have been formatted as [TEXT](URL)
  • You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
  • The CI build of your PR pass, see the build status here.

This PR fixes issue #2147 .

AI Tool Usage Disclosure (required for all PRs)

Please select one of the following options:

  • I have NOT used any AI tool to generate the contents of this PR.
  • I have used AI tools to generate the contents of this PR. I have verified
    the contents and I affirm the results. The LLM used is [llm name and version]
    and the prompt used is [your prompt here]. [Feel free to add more details if needed]

Thank you again for your contribution 😃

mackowski
mackowski reviewed May 5, 2026
View reviewed changes
Comment thread cheatsheets/Bot_Management_and_Anti-Automation_Cheat_Sheet.md Outdated
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5, // 5 attempts per key
keyGenerator: (req) =>
`login:${req.ip}:${req.body?.username ?? 'anon'}`,
Copy link
Copy Markdown
Collaborator

@mackowski mackowski May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This produces one 5-attempt bucket per (IP, username) pair, which means a single IP can try 5 attempts against an unlimited number of usernames before any limit fires right?

@mackowski mackowski requested a review from jmanico May 5, 2026 14:58
@jmanico
Copy link
Copy Markdown
Member

jmanico commented May 5, 2026

  • Rate limiter keyGenerator (line ~76): As @mackowski noted, 'login:${req.ip}:${req.body?.username ?? 'anon'}' creates one bucket per (IP, username) pair, so a single IP can attempt 5 passwords against unlimited usernames before any limit fires. This also contradicts your own guidance further down ("Apply per-username and per-IP limits with separate windows").

I suggest you drop the code and just describe the control, please.

Also:

  • "Google Web Environment Integrity successors" WEI was withdrawn in 2023 with no shipped successor. Suggest dropping or replacing with "emerging device-attestation APIs."
  • References list: "Multifactor Authentication Cheat_Sheet" → "Multifactor Authentication Cheat Sheet" (underscore typo in display text).

@jmanico jmanico mentioned this pull request May 5, 2026
Closed
@KadirArslan
Copy link
Copy Markdown
Contributor Author

KadirArslan commented May 6, 2026

Thanks @mackowski and @jmanico for the careful review

Rate limiter: I've removed the code block entirely as suggested
WEI: Replaced "Google Web Environment Integrity successors" with "emerging device-attestation APIs." You're right that WEI was withdrawn in 2023.
Typo: Fixed.

Pushed the latest commit.

@jmanico jmanico merged commit 86dae5f into OWASP:master May 6, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmanico jmanico jmanico approved these changes

@mackowski mackowski mackowski approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KadirArslan @jmanico @mackowski