Re: [WebDNA] preventing hackers from posting their own (altered)
This WebDNA talk-list message is from
2009
It keeps the original formatting.
numero = 102037
interpreted = N
texte = Toby Cox wrote:>> sorry if I am dense.. but what stops a hacker from simply making his >> own form and stuffing the 'nothingToSeeHere' input with that long now >> url'ed string and manipulating the other vars as he pleases?> > > nothing at all> > The principle is right, but you would need to change the seed or the > [topsecret] daily/hourly or even more frequently> > On one of our sites, we have a similar code to stop people hotlinking > directly to a flash game> > We set a variable that is > [math][insertHugePrimeNumberHere]%{[date]}[/math] in hidden form, which > the flash file also requests from another page when the time comes.> > You can find huge primes on this site > http://primes.utm.edu/lists/small/small.html> > Another system would be to encrypt the date with some information in the > form, such as a cart ref> > Therefore, your example below becomes name="nothingToSeeHere" value="[url][url][encrypt > seed=[cart]][date][/encrypt][/url][/url]">> > And you pull that out the other side. The key is that the information > has to change faster than a hacker can put it together, so either > solution above will work.> > > > TCGood Points by both... I think you could do a time based (session)forms thing, similar to Toby's, by making the value a date/time stamp, andthen only allowing the parsing of the form on the receiving end if the unencrypted value is within the time frame alloted for the posting of the form. That would help anyway... but if you are wanting ultimate protection, I'm guessing the solution is a mixed bag that uses a fewmethods including some of the ideas mentioned.. such as, bot/script filtering (CAPTCHA), Bob's trick, etc..??But you are right, I am stumped on an "easy" ([referrer]) like solutionthat is fool proof.Perhaps there is one, but I don't know of one off the top of my head.Authentication? ;-)Donovan-- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center PH:> (608) 770-3822 WEB:> http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o
Associated Messages, from the most recent to the oldest:
Toby Cox wrote:>> sorry if I am dense.. but what stops a hacker from simply making his >> own form and stuffing the 'nothingToSeeHere' input with that long now >> url'ed string and manipulating the other vars as he pleases?> > > nothing at all> > The principle is right, but you would need to change the seed or the > [topsecret] daily/hourly or even more frequently> > On one of our sites, we have a similar code to stop people hotlinking > directly to a flash game> > We set a variable that is > [math][insertHugePrimeNumberHere]%{[date]}[/math] in hidden form, which > the flash file also requests from another page when the time comes.> > You can find huge primes on this site > http://primes.utm.edu/lists/small/small.html> > Another system would be to encrypt the date with some information in the > form, such as a cart ref> > Therefore, your example below becomes name="nothingToSeeHere" value="[url][url][encrypt > seed=[cart]][date][/encrypt][/url][/url]">> > And you pull that out the other side. The key is that the information > has to change faster than a hacker can put it together, so either > solution above will work.> > > > TCGood Points by both... I think you could do a time based (session)forms thing, similar to Toby's, by making the value a date/time stamp, andthen only allowing the parsing of the form on the receiving end if the unencrypted value is within the time frame alloted for the posting of the form. That would help anyway... but if you are wanting ultimate protection, I'm guessing the solution is a mixed bag that uses a fewmethods including some of the ideas mentioned.. such as, bot/script filtering (CAPTCHA), Bob's trick, etc..??But you are right, I am stumped on an "easy" ([referrer]) like solutionthat is fool proof.Perhaps there is one, but I don't know of one off the top of my head.Authentication? ;-)Donovan-- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center PH:> (608) 770-3822 WEB:> http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o
Donovan Brooke
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...