Re: [WebDNA] preventing hackers from posting their own (altered)

This WebDNA talk-list message is from

2009

It keeps the original formatting. numero = 102025
interpreted = N
texte = This is a cryptographically signed message in MIME format.--------------ms070702080709080800070401Content-Type: text/plain; charset=ISO-8859-1Content-Transfer-Encoding: 7bitI agree with Donovan. A hidden field is as misconception, it's notreally hidden, just not visible in a browser. Any hacker worth his saltattempting to "hack" a form post will look at the "hidden" fields firstand they are quite easy to spoof. Using an encrypted value with a seedwill most certainly stop them in their tracks.I've used that method for years without incident...MarcDonovan Brooke wrote:> Govinda wrote:>> Thanks Gary,>>>> well I had just assumed that [REFERRER] would not get set to the>> actual referring URL when reaching the template with that tag in it>> because of this line from the docs:>> "...Note: this will not work if the previous page was a FORM>> METHOD="POST". ">> But after seeing your post here I tried it and it seems to work fine,>> even with method=post. (why do the docs say that?)>> Assuming [referrer] is reliable in this situation, then I can just>> check against the evaluated tag's value itself.. (and not against an>> incoming hidden input). If I used a hidden input the way you suggest>> then what stops a user from creating a version of the form with a>> hidden input whose value is set to whatever he wants. (including what>> I would have stuffed in there with the [referrer] tag's value?)>>>> -G> > > > I would suggest to encrypt a hidden value with a seed... then decrypt on> the receiving end to do a match to a static or admin controlled> variable. Referrer is not reliable in all situations because of proxies.> > Donovan> > -- -------------------------------------------Marc ThompsonSoftware EngineerOffice of Information TechnologyUniversity of Utah801.585.9264marc.thompson@utah.edu---------------------------------------------------------ms070702080709080800070401Content-Type: application/x-pkcs7-signature; name="smime.p7s"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="smime.p7s"Content-Description: S/MIME Cryptographic SignatureMIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIFzCCAmYwggHPoAMCAQICEHaSCub5fHf1qFiROTURT3UwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDIxMzIwMjAxOVoXDTEwMDIxMzIwMjAxOVowSjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEnMCUGCSqGSIb3DQEJARYYbXRob21wc29uQG1lZGlhLnV0YWguZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6QZuGW+lM68PiNJakaJKiM0oUeJBHX/ygyAAPZ/A+o51YkgQBxz0HMtOL9ny/Bz16/OWw/rGFQBV+T4Y03aGsa/Q7IDxS53rN2DSmYVSJkesjpAO4B8Ud3grqy2XMKAKT2e8/vTwWbE/kIyOtcjeWYpP9ASVUidEPRo4yTM1zVwIDAQABozUwMzAjBgNVHREEHDAagRhtdGhvbXBzb25AbWVkaWEudXRhaC5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQC3NQryCLgzcsAX+7pwymoLBpvqdswI+vA9fIRhv15SXeON5d3RFk6ifWl6FWopm5Zz1gpieqcqLaMu3qE0x7YThsYqGwVKaazyCJtJxKo/pfg5mmODWmqpnGx1c42hbtVdZzxEIIh29r0dV88PHR/rPzus5UV64CAm76bPTxizwTCCAmYwggHPoAMCAQICEHaSCub5fHf1qFiROTURT3UwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDIxMzIwMjAxOVoXDTEwMDIxMzIwMjAxOVowSjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEnMCUGCSqGSIb3DQEJARYYbXRob21wc29uQG1lZGlhLnV0YWguZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6QZuGW+lM68PiNJakaJKiM0oUeJBHX/ygyAAPZ/A+o51YkgQBxz0HMtOL9ny/Bz16/OWw/rGFQBV+T4Y03aGsa/Q7IDxS53rN2DSmYVSJkesjpAO4B8Ud3grqy2XMKAKT2e8/vTwWbE/kIyOtcjeWYpP9ASVUidEPRo4yTM1zVwIDAQABozUwMzAjBgNVHREEHDAagRhtdGhvbXBzb25AbWVkaWEudXRhaC5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQC3NQryCLgzcsAX+7pwymoLBpvqdswI+vA9fIRhv15SXeON5d3RFk6ifWl6FWopm5Zz1gpieqcqLaMu3qE0x7YThsYqGwVKaazyCJtJxKo/pfg5mmODWmqpnGx1c42hbtVdZzxEIIh29r0dV88PHR/rPzus5UV64CAm76bPTxizwTCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggLjMIIC3wIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQdpIK5vl8d/WoWJE5NRFPdTAJBgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wOTAyMTkxNzUwMDdaMCMGCSqGSIb3DQEJBDEWBBReqmNM5YerfKAXyHZKKxl4j4KFGDBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEHaSCub5fHf1qFiROTURT3UwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEHaSCub5fHf1qFiROTURT3UwDQYJKoZIhvcNAQEBBQAEgYC4O6cYmE9TW/6gCZgj6qLq+9xc2/x+mfjUKQV545+exJy7W4S+26XXqRsK65aw3gSWBJ0l1BpaMVld8zgDHdc4BaC6c68mOPSeVvmBPqDtffQZ8ylv9Zxdi8YFhua4RuOJoHvOBI08ZMPc4bLsXu4VY4TnwBpprT/dB9uKZyQ+fwAAAAAAAA==--------------ms070702080709080800070401-- Associated Messages, from the most recent to the oldest:

Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Stuart Tremain 2009) Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009) Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009) Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Toby Cox 2009) Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009) Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009) Re: [WebDNA] preventing hackers from posting their own (altered) (Marc Thompson 2009) Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Bob Minor 2009) Re: [WebDNA] preventing hackers from posting their own (altered) (Marc Thompson 2009) Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009) Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009) [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)

This is a cryptographically signed message in MIME format.--------------ms070702080709080800070401Content-Type: text/plain; charset=ISO-8859-1Content-Transfer-Encoding: 7bitI agree with Donovan. A hidden field is as misconception, it's notreally hidden, just not visible in a browser. Any hacker worth his saltattempting to "hack" a form post will look at the "hidden" fields firstand they are quite easy to spoof. Using an encrypted value with a seedwill most certainly stop them in their tracks.I've used that method for years without incident...MarcDonovan Brooke wrote:> Govinda wrote:>> Thanks Gary,>>>> well I had just assumed that [referrer] would not get set to the>> actual referring URL when reaching the template with that tag in it>> because of this line from the docs:>> "...Note: this will not work if the previous page was a FORM>> METHOD="POST". ">> But after seeing your post here I tried it and it seems to work fine,>> even with method=post. (why do the docs say that?)>> Assuming [referrer] is reliable in this situation, then I can just>> check against the evaluated tag's value itself.. (and not against an>> incoming hidden input). If I used a hidden input the way you suggest>> then what stops a user from creating a version of the form with a>> hidden input whose value is set to whatever he wants. (including what>> I would have stuffed in there with the [referrer] tag's value?)>>>> -G> > > > I would suggest to encrypt a hidden value with a seed... then decrypt on> the receiving end to do a match to a static or admin controlled> variable. Referrer is not reliable in all situations because of proxies.> > Donovan> > -- -------------------------------------------Marc ThompsonSoftware EngineerOffice of Information TechnologyUniversity of Utah801.585.9264marc.thompson@utah.edu---------------------------------------------------------ms070702080709080800070401Content-Type: application/x-pkcs7-signature; name="smime.p7s"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="smime.p7s"Content-Description: S/MIME Cryptographic SignatureMIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIFzCCAmYwggHPoAMCAQICEHaSCub5fHf1qFiROTURT3UwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDIxMzIwMjAxOVoXDTEwMDIxMzIwMjAxOVowSjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEnMCUGCSqGSIb3DQEJARYYbXRob21wc29uQG1lZGlhLnV0YWguZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6QZuGW+lM68PiNJakaJKiM0oUeJBHX/ygyAAPZ/A+o51YkgQBxz0HMtOL9ny/Bz16/OWw/rGFQBV+T4Y03aGsa/Q7IDxS53rN2DSmYVSJkesjpAO4B8Ud3grqy2XMKAKT2e8/vTwWbE/kIyOtcjeWYpP9ASVUidEPRo4yTM1zVwIDAQABozUwMzAjBgNVHREEHDAagRhtdGhvbXBzb25AbWVkaWEudXRhaC5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQC3NQryCLgzcsAX+7pwymoLBpvqdswI+vA9fIRhv15SXeON5d3RFk6ifWl6FWopm5Zz1gpieqcqLaMu3qE0x7YThsYqGwVKaazyCJtJxKo/pfg5mmODWmqpnGx1c42hbtVdZzxEIIh29r0dV88PHR/rPzus5UV64CAm76bPTxizwTCCAmYwggHPoAMCAQICEHaSCub5fHf1qFiROTURT3UwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDIxMzIwMjAxOVoXDTEwMDIxMzIwMjAxOVowSjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEnMCUGCSqGSIb3DQEJARYYbXRob21wc29uQG1lZGlhLnV0YWguZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6QZuGW+lM68PiNJakaJKiM0oUeJBHX/ygyAAPZ/A+o51YkgQBxz0HMtOL9ny/Bz16/OWw/rGFQBV+T4Y03aGsa/Q7IDxS53rN2DSmYVSJkesjpAO4B8Ud3grqy2XMKAKT2e8/vTwWbE/kIyOtcjeWYpP9ASVUidEPRo4yTM1zVwIDAQABozUwMzAjBgNVHREEHDAagRhtdGhvbXBzb25AbWVkaWEudXRhaC5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQC3NQryCLgzcsAX+7pwymoLBpvqdswI+vA9fIRhv15SXeON5d3RFk6ifWl6FWopm5Zz1gpieqcqLaMu3qE0x7YThsYqGwVKaazyCJtJxKo/pfg5mmODWmqpnGx1c42hbtVdZzxEIIh29r0dV88PHR/rPzus5UV64CAm76bPTxizwTCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggLjMIIC3wIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQdpIK5vl8d/WoWJE5NRFPdTAJBgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wOTAyMTkxNzUwMDdaMCMGCSqGSIb3DQEJBDEWBBReqmNM5YerfKAXyHZKKxl4j4KFGDBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEHaSCub5fHf1qFiROTURT3UwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEHaSCub5fHf1qFiROTURT3UwDQYJKoZIhvcNAQEBBQAEgYC4O6cYmE9TW/6gCZgj6qLq+9xc2/x+mfjUKQV545+exJy7W4S+26XXqRsK65aw3gSWBJ0l1BpaMVld8zgDHdc4BaC6c68mOPSeVvmBPqDtffQZ8ylv9Zxdi8YFhua4RuOJoHvOBI08ZMPc4bLsXu4VY4TnwBpprT/dB9uKZyQ+fwAAAAAAAA==--------------ms070702080709080800070401-- Marc Thompson

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

date pref (1999) Trouble with Netscape (1998) Closing db's & caching templates (was: Shippingcalculations) (1997) US Postal Service API (2007) WebCatalog Upgrade Pricing? (1997) Request Time Out (1997) Separate SSL Server (1997) (1997) Changing the value assigned to a formvariable (2000) [WebDNA] When was autonumber added? (2010) Date format problems (1997) TCPConnect (2002) Using Plug-In while running 1.6.1 (1997) Emailer 1.0.2 Conflicts? (1998) webmerchant/mac auth. rejects zipcode (1998) WebCatalog NT beta 18 now available (1997) WebCat2b15MacPlugin - showing [math] (1997) problems with 2 tags (1997) 2 databases (1997) I give up!! (1997)