Hi folks, how are you doing?
Recently I needed to create a rule in WTD to evaluate reset password pages, the reason for that is because attackers were trying to enumerate these pages, that at the end of the URL the site uses a CPF as user identification, CPF in Brazil is similar to social security numbers and has 11 digits, the URL is as follow /v1/password/verifyPassword/01234567890, for instance. The case here is that malicious users were trying to enumerate the number at the end, so the URL constantly changes all the time, first thing we thought would be create a regex to evaluate the page and create a counter in this rule to be used in another rule that checks the counter and if the user hits some threshold than we would fire an incident, which is good, but could fire false-positives, because a normal user could hit this page and maybe try it a couple of times too and while trying to change the password the rule would still fire because the regex would match this URL too. So we thought if there's a way to store the previous page and check the next page to compare if they're different, and if so fires the incident, another thing that needs to happen is that the rule has to compare just the difference in pages like /v1/password/verifyPassword/01234567890 and /v1/password/verifyPassword/98765432109 and not /v1/success or any other pages, they have to be compared just in this kind of pages without false-positives. I would like some insights on how can I achieve that, thanks in advance.