From: Paul Kurczaba <seclists () securinews com>
To: Chad Maniccia <wopazar () gmail com>
CC: webappsec () securityfocus com
Subject: Re: Script Based Attacks & Form Hacks
Date: Thu, 21 Jul 2005 22:06:05 -0400
To prevent automatic form submissions I use a custom written implementation
of CAPTCHA (http://www.captcha.net/). This prevents robots from
automatically setting up accounts. Many web developers do use client side
JavaScript for controlling form submission data (ex. making sure all text
boxes are filled, verifying email address structure, etc.) This is
unprofessional and (could be) insecure. The form verification should be
done on the server side.
The following page I have set up:
http://www.securinews.com/login/register.htm
uses CAPTCHA to help prevent automatic submissions. If the CAPTCHA string
is not entered, the form will not be processed by the server. You are free
to create a Java program to test bypassing CAPTCHA.
-Paul
Chad Maniccia wrote:
Hi List,
One thing I have not heard any one discuss is the use of automated
scripts and form hacking. I could easily write a Java program to
attack any ASP,JSP,PHP etc.. simply by viewing the page source to find
the parameters the form processor will be looking for. You could use
this to fill up some ones database with garbage bring the server to a
standstill or worse yet bypass all the fancy javascript you had on the
calling page. Some web applications actually use javascript to
calcualte currency transactions.
What ideas do you guys have to protect yourself from these?
Thanks,
Chad
Intro
