An HTTP challenge is a method used to automatically mitigate HTTP based
. The challenge is intended to be passed by legitimate users and to fail the attackers.
One typical challenge is that after arrival of an HTTP request message, send back to the users a 302 Redirect message. A typical user with a web browser will pass that challenge, while an attacker that does not implement a full HTTP stack will ignore this redirect and send the original request again. A more complicated challenge is to add a cookie - now the client also has to store and resend this cookie.
- This protection is considered very accurate, predictable and effective.
- A Web challenge also blocks's legitimate bots such as web crawlers which the site does not wish to block. This is because they too do not necessarily use a real browser or implement a full HTTP stack. Nevertheless many organizations will be willing to pay this price when under attack.
- More sophisticated attack tools and bots can invest in passing the challenge or even using real web browsers so that they will pass the challenge. This however, requires the attacker to invest resources on his side and in most cases will decrease the attack capacity.