Re: [WebDNA] preventing hackers from posting their own (altered)

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102037
interpreted = N
texte = Toby Cox wrote: >> sorry if I am dense.. but what stops a hacker from simply making his >> own form and stuffing the 'nothingToSeeHere' input with that long now >> url'ed string and manipulating the other vars as he pleases? > > > nothing at all > > The principle is right, but you would need to change the seed or the > [topsecret] daily/hourly or even more frequently > > On one of our sites, we have a similar code to stop people hotlinking > directly to a flash game > > We set a variable that is > [math][insertHugePrimeNumberHere]%{[date]}[/math] in hidden form, which > the flash file also requests from another page when the time comes. > > You can find huge primes on this site > http://primes.utm.edu/lists/small/small.html > > Another system would be to encrypt the date with some information in the > form, such as a cart ref > > Therefore, your example below becomes name="nothingToSeeHere" value="[url][url][encrypt > seed=[cart]][date][/encrypt][/url][/url]"> > > And you pull that out the other side. The key is that the information > has to change faster than a hacker can put it together, so either > solution above will work. > > > > TC Good Points by both... I think you could do a time based (session) forms thing, similar to Toby's, by making the value a date/time stamp, and then only allowing the parsing of the form on the receiving end if the unencrypted value is within the time frame alloted for the posting of the form. That would help anyway... but if you are wanting ultimate protection, I'm guessing the solution is a mixed bag that uses a few methods including some of the ideas mentioned.. such as, bot/script filtering (CAPTCHA), Bob's trick, etc..?? But you are right, I am stumped on an "easy" ([referrer]) like solution that is fool proof. Perhaps there is one, but I don't know of one off the top of my head. Authentication? ;-) Donovan -- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center PH:> (608) 770-3822 WEB:> http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Stuart Tremain 2009)
  2. Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009)
  3. Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009)
  4. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Toby Cox 2009)
  5. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
  6. Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009)
  7. Re: [WebDNA] preventing hackers from posting their own (altered) (Marc Thompson 2009)
  8. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Bob Minor 2009)
  9. Re: [WebDNA] preventing hackers from posting their own (altered) (Marc Thompson 2009)
  10. Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009)
  11. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
  12. [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
Toby Cox wrote: >> sorry if I am dense.. but what stops a hacker from simply making his >> own form and stuffing the 'nothingToSeeHere' input with that long now >> url'ed string and manipulating the other vars as he pleases? > > > nothing at all > > The principle is right, but you would need to change the seed or the > [topsecret] daily/hourly or even more frequently > > On one of our sites, we have a similar code to stop people hotlinking > directly to a flash game > > We set a variable that is > [math][insertHugePrimeNumberHere]%{[date]}[/math] in hidden form, which > the flash file also requests from another page when the time comes. > > You can find huge primes on this site > http://primes.utm.edu/lists/small/small.html > > Another system would be to encrypt the date with some information in the > form, such as a cart ref > > Therefore, your example below becomes name="nothingToSeeHere" value="[url][url][encrypt > seed=[cart]][date][/encrypt][/url][/url]"> > > And you pull that out the other side. The key is that the information > has to change faster than a hacker can put it together, so either > solution above will work. > > > > TC Good Points by both... I think you could do a time based (session) forms thing, similar to Toby's, by making the value a date/time stamp, and then only allowing the parsing of the form on the receiving end if the unencrypted value is within the time frame alloted for the posting of the form. That would help anyway... but if you are wanting ultimate protection, I'm guessing the solution is a mixed bag that uses a few methods including some of the ideas mentioned.. such as, bot/script filtering (CAPTCHA), Bob's trick, etc..?? But you are right, I am stumped on an "easy" ([referrer]) like solution that is fool proof. Perhaps there is one, but I don't know of one off the top of my head. Authentication? ;-) Donovan -- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center PH:> (608) 770-3822 WEB:> http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o Donovan Brooke

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

[subTotal] pricefield in another database It#180#s not working!? (1998) [protect] on NT? (1997) Generating Report Totals (1997) Ampersand (1997) I'm having trouble using [url][interpret][math] together in lookup (1997) WebDNA Trouble... (1999) How flexible is Shipping? (1997) Possible Bug in 2.0b15.acgi (1997) Migrating to NT (1997) [table] tag (2003) SAVECART (1997) How can I record purchases to a database? (1998) frames & carts (1997) creating a ShipCosts database (1997) ShipCost Data Base (1998) Here we go again.. Web Services (2006) Hosts who have upgraded to v5.0? (2003) WC2b12: Yes, Formulas.db is for real (1997) comma-delimited email (1998) contextual shownext (1998)