Re: [WebDNA] preventing hackers from posting their own (altered) version of my form?
This WebDNA talk-list message is from
2009
It keeps the original formatting.
numero = 102036
interpreted = N
texte = > sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he pleases?nothing at allThe principle is right, but you would need to change the seed or the [topsecret] daily/hourly or even more frequentlyOn one of our sites, we have a similar code to stop people hotlinking directly to a flash gameWe set a variable that is [math][insertHugePrimeNumberHere]%{[date]}[/ math] in hidden form, which the flash file also requests from another page when the time comes.You can find huge primes on this site http://primes.utm.edu/lists/small/small.htmlAnother system would be to encrypt the date with some information in the form, such as a cart refTherefore, your example below becomes And you pull that out the other side. The key is that the information has to change faster than a hacker can put it together, so either solution above will work.TCOn 19 Feb 2009, at 19:39, Govinda wrote:> sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he > pleases? I don't see how we have stopped him at all. ??>> Say if once we encrypt and url twice the string becomes this:> %9F%AE%26%13%60-b%E3%DE%85%9CvU%E3%7D1PaC%E6%1B%18%E2%7C> and so the hacker views the source and sees that and then stuffs his > own version of the form with that very string which will match our > controlled value on the other end once we unurl and decrypt.>> -G>> On Feb 19, 2009, at 12:03 PM, Dan Strong wrote:>>> Brilliant, and, as usual, much simpler than the solutions I have >> come up with.>> -Dan>>>>>> On Thu, 19 Feb 2009 12:52:46 -0600>> Donovan Brooke wrote:>>> Dan Strong wrote:>>>> Do you mean:>>>> >>>> -Dan>>> Right, then on the receiving end, once you decrypt >>> "[nothingToSeeHere]",>>> if it doesn't match the controlled comparison text/number, then >>> you know the data is coming from somewhere other than your form.>>> Donovan>>> -- >>> Donovan D. Brooke PH: 1 (608) 770-3822>>> ------------------------------------------------>>> VP>>> WebDNA Software Corporation>>> 16192 Coastal Highway>>> Lewes, DE 19958>>> --------------------------------------------------------->>> This message is sent to you because you are subscribed to>>> the mailing list .>>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us>>> old archives: http://dev.webdna.us/TalkListArchive/>>>> --------------------------------------------------------->> This message is sent to you because you are subscribed to>> the mailing list .>> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us>> old archives: http://dev.webdna.us/TalkListArchive/>> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> old archives: http://dev.webdna.us/TalkListArchive/
Associated Messages, from the most recent to the oldest:
> sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he pleases?nothing at allThe principle is right, but you would need to change the seed or the [topsecret] daily/hourly or even more frequentlyOn one of our sites, we have a similar code to stop people hotlinking directly to a flash gameWe set a variable that is [math][insertHugePrimeNumberHere]%{[date]}[/ math] in hidden form, which the flash file also requests from another page when the time comes.You can find huge primes on this site http://primes.utm.edu/lists/small/small.htmlAnother system would be to encrypt the date with some information in the form, such as a cart refTherefore, your example below becomes [url][url][encrypt seed=[cart]][date][/ encrypt][/url][/url]">And you pull that out the other side. The key is that the information has to change faster than a hacker can put it together, so either solution above will work.TCOn 19 Feb 2009, at 19:39, Govinda wrote:> sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he > pleases? I don't see how we have stopped him at all. ??>> Say if once we encrypt and url twice the string becomes this:> %9F%AE%26%13%60-b%E3%DE%85%9CvU%E3%7D1PaC%E6%1B%18%E2%7C> and so the hacker views the source and sees that and then stuffs his > own version of the form with that very string which will match our > controlled value on the other end once we unurl and decrypt.>> -G>> On Feb 19, 2009, at 12:03 PM, Dan Strong wrote:>>> Brilliant, and, as usual, much simpler than the solutions I have >> come up with.>> -Dan>>>>>> On Thu, 19 Feb 2009 12:52:46 -0600>> Donovan Brooke wrote:>>> Dan Strong wrote:>>>> Do you mean:>>>> [url][url] >>>> [encrypt seed=yourSeed][topSecret][/encrypt][/url][/url]">>>>> -Dan>>> Right, then on the receiving end, once you decrypt >>> "[nothingToSeeHere]",>>> if it doesn't match the controlled comparison text/number, then >>> you know the data is coming from somewhere other than your form.>>> Donovan>>> -- >>> Donovan D. Brooke PH: 1 (608) 770-3822>>> ------------------------------------------------>>> VP>>> WebDNA Software Corporation>>> 16192 Coastal Highway>>> Lewes, DE 19958>>> --------------------------------------------------------->>> This message is sent to you because you are subscribed to>>> the mailing list .>>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us>>> old archives: http://dev.webdna.us/TalkListArchive/>>>> --------------------------------------------------------->> This message is sent to you because you are subscribed to>> the mailing list .>> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us>> old archives: http://dev.webdna.us/TalkListArchive/>> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> old archives: http://dev.webdna.us/TalkListArchive/
Toby Cox
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...