WebApp Sec mailing list archives
RE: Script Based Attacks & Form Hacks
From: "Jose Varghese" <jose.varghese () paladion net>
Date: Fri, 22 Jul 2005 17:19:17 +0530
Hi An interesting article on Captcha,Gimpy and BaffleText in Palisade http://palisade.paladion.net/issues/2004Nov/captchas-gimpys/ Jose Varghese Paladion Networks Application Security Magazine http://palisade.paladion.net -----Original Message----- From: amit kukreti [mailto:avmit702 () hotmail com] Sent: Friday, July 22, 2005 2:34 PM To: seclists () securinews com; wopazar () gmail com Cc: webappsec () securityfocus com Subject: Re: Script Based Attacks & Form Hacks Hi list http://www.webappsec.org/whitepapers.shtml has got a good white paper on stopping the automated attacks Regards Paul
From: Paul Kurczaba <seclists () securinews com> To: Chad Maniccia <wopazar () gmail com> CC: webappsec () securityfocus com Subject: Re: Script Based Attacks & Form Hacks Date: Thu, 21 Jul 2005 22:06:05 -0400 To prevent automatic form submissions I use a custom written implementation of CAPTCHA (http://www.captcha.net/). This prevents robots from automatically setting up accounts. Many web developers do use client side JavaScript for controlling form submission data (ex. making sure all text boxes are filled, verifying email address structure, etc.) This is unprofessional and (could be) insecure. The form verification should be done on the server side. The following page I have set up: http://www.securinews.com/login/register.htm uses CAPTCHA to help prevent automatic submissions. If the CAPTCHA string is not entered, the form will not be processed by the server. You are free to create a Java program to test bypassing CAPTCHA. -Paul Chad Maniccia wrote:Hi List, One thing I have not heard any one discuss is the use of automated scripts and form hacking. I could easily write a Java program to attack any ASP,JSP,PHP etc.. simply by viewing the page source to find the parameters the form processor will be looking for. You could use this to fill up some ones database with garbage bring the server to a standstill or worse yet bypass all the fancy javascript you had on the calling page. Some web applications actually use javascript to calcualte currency transactions. What ideas do you guys have to protect yourself from these? Thanks, Chad
_________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Current thread:
- Re: Script Based Attacks & Form Hacks, (continued)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Paul Kurczaba (Jul 21)
- Re: Script Based Attacks & Form Hacks Sean Utt (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Andrew van der Stock (Jul 22)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 23)
- Re: Script Based Attacks & Form Hacks Christian Martorella (Jul 23)
- RE: Script Based Attacks & Form Hacks Jose Varghese (Jul 22)