cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Handling Multiple Requests from the Same IP in SAP Commerce Cloud

FelipeLima1
Discoverer

on ‎2024 Sep 26 4:56 PM

396

In SAP Commerce Cloud, it's possible to configure IP blocking. However, is there any standard functionality in SAP Commerce that can detect when an IP is performing an attack (e.g., through multiple suspicious requests) and automatically block that IP?

I'm currently exploring standard solutions for this scenario, but if none are available, I'm considering customizing a filter to detect and block potentially malicious IPs.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

StefanKruk
Active Participant
‎2024 Sep 27 6:17 AM
0 Kudos

Hi,

There are some safety measures in SAP CX Standard.
For Example can you configure the "Max Brute Force Login Attempts" per User Group. It will also go Up in the Hierarchy of User Groups to find a Value.
If nothing is maintained the Login attempts will be not restricted.
If you have multiple User Groups assigned with different values, the lowest value will be used.

If you have too many Login attempts your account will be disabled and the Customer needs to contact the Support, to re-enable the Account.

 

Additionally SAP has a "BruteForceAttackHandler" which will be for example be used for applying Vouchers in the "BaseCommerceController"

 

 

protected CartData applyVoucherForCartInternal(final String voucherId, final HttpServletRequest request)
       throws NoCheckoutCartException, VoucherOperationException
{
    final String ipAddress = request.getRemoteAddr();
    if (bruteForceAttackHandler.registerAttempt(ipAddress + "_voucher"))
    {
       throw new VoucherOperationException("You have entered too many voucher codes. Please try again later.");
    }

    return applyVoucherForCartInternal(voucherId);
}

 

 

 

In the CCv2 Cloud Portal you are also able to configure WAF Settings.
See: https://me.sap.com/notes/0003417716 and https://help.sap.com/docs/SAP_COMMERCE_CLOUD_PUBLIC_CLOUD/0fa6bcf4736c46f78c248512391eb467/5ba356136...

Further SAP CX has a default "XSSFilter" (de.hybris.platform.servicelayer.web.XSSFilter) which is based on configured Regular Expression Rules. The Properties has the following syntax:

xss.filter.rule.<ruleName> = <regEx>

or

<extensionName>.xss.filter.rule.<ruleName> = <regEx>

 If it is detected that the Regular Expression is matching the values will be stripped.
You can also configure it to be rejected via:

xss.filter.action=REJECT

The general and "commercewebservice" Rules will also be applied to Requests with a JSON Body through the "de.hybris.platform.webservicescommons.jaxb.adapters.XSSStringAdapter"

Commercewebservices Rules have the format:

commercewebservices.xss.filter.rule.<ruleName> = <regEx>

 and the Values will then be stripped from the Input


Kind Regards,
Stefan Kruk

Show replies
Show replies
Ask a Question