Re: [WebDNA] preventing hackers from posting their own (altered) version of my form?

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102036
interpreted = N
texte = > sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he pleases? nothing at all The principle is right, but you would need to change the seed or the [topsecret] daily/hourly or even more frequently On one of our sites, we have a similar code to stop people hotlinking directly to a flash game We set a variable that is [math][insertHugePrimeNumberHere]%{[date]}[/ math] in hidden form, which the flash file also requests from another page when the time comes. You can find huge primes on this site http://primes.utm.edu/lists/small/small.html Another system would be to encrypt the date with some information in the form, such as a cart ref Therefore, your example below becomes And you pull that out the other side. The key is that the information has to change faster than a hacker can put it together, so either solution above will work. TC On 19 Feb 2009, at 19:39, Govinda wrote: > sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he > pleases? I don't see how we have stopped him at all. ?? > > Say if once we encrypt and url twice the string becomes this: > %9F%AE%26%13%60-b%E3%DE%85%9CvU%E3%7D1PaC%E6%1B%18%E2%7C > and so the hacker views the source and sees that and then stuffs his > own version of the form with that very string which will match our > controlled value on the other end once we unurl and decrypt. > > -G > > On Feb 19, 2009, at 12:03 PM, Dan Strong wrote: > >> Brilliant, and, as usual, much simpler than the solutions I have >> come up with. >> -Dan >> >> >> On Thu, 19 Feb 2009 12:52:46 -0600 >> Donovan Brooke wrote: >>> Dan Strong wrote: >>>> Do you mean: >>>> >>>> -Dan >>> Right, then on the receiving end, once you decrypt >>> "[nothingToSeeHere]", >>> if it doesn't match the controlled comparison text/number, then >>> you know the data is coming from somewhere other than your form. >>> Donovan >>> -- >>> Donovan D. Brooke PH: 1 (608) 770-3822 >>> ------------------------------------------------ >>> VP >>> WebDNA Software Corporation >>> 16192 Coastal Highway >>> Lewes, DE 19958 >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> old archives: http://dev.webdna.us/TalkListArchive/ >> >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> old archives: http://dev.webdna.us/TalkListArchive/ > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Stuart Tremain 2009)
  2. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Toby Cox 2009)
  3. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
  4. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Bob Minor 2009)
  5. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
  6. [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
> sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he pleases? nothing at all The principle is right, but you would need to change the seed or the [topsecret] daily/hourly or even more frequently On one of our sites, we have a similar code to stop people hotlinking directly to a flash game We set a variable that is [math][insertHugePrimeNumberHere]%{[date]}[/ math] in hidden form, which the flash file also requests from another page when the time comes. You can find huge primes on this site http://primes.utm.edu/lists/small/small.html Another system would be to encrypt the date with some information in the form, such as a cart ref Therefore, your example below becomes [url][url][encrypt seed=[cart]][date][/ encrypt][/url][/url]"> And you pull that out the other side. The key is that the information has to change faster than a hacker can put it together, so either solution above will work. TC On 19 Feb 2009, at 19:39, Govinda wrote: > sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he > pleases? I don't see how we have stopped him at all. ?? > > Say if once we encrypt and url twice the string becomes this: > %9F%AE%26%13%60-b%E3%DE%85%9CvU%E3%7D1PaC%E6%1B%18%E2%7C > and so the hacker views the source and sees that and then stuffs his > own version of the form with that very string which will match our > controlled value on the other end once we unurl and decrypt. > > -G > > On Feb 19, 2009, at 12:03 PM, Dan Strong wrote: > >> Brilliant, and, as usual, much simpler than the solutions I have >> come up with. >> -Dan >> >> >> On Thu, 19 Feb 2009 12:52:46 -0600 >> Donovan Brooke wrote: >>> Dan Strong wrote: >>>> Do you mean: >>>> [url][url] >>>> [encrypt seed=yourSeed][topSecret][/encrypt][/url][/url]"> >>>> -Dan >>> Right, then on the receiving end, once you decrypt >>> "[nothingToSeeHere]", >>> if it doesn't match the controlled comparison text/number, then >>> you know the data is coming from somewhere other than your form. >>> Donovan >>> -- >>> Donovan D. Brooke PH: 1 (608) 770-3822 >>> ------------------------------------------------ >>> VP >>> WebDNA Software Corporation >>> 16192 Coastal Highway >>> Lewes, DE 19958 >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> old archives: http://dev.webdna.us/TalkListArchive/ >> >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> old archives: http://dev.webdna.us/TalkListArchive/ > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ Toby Cox

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

[WebDNA] test (2011) Changes to [ReturnRaw] in 3.0 (1998) emailer (1997) test (2004) NetSplat and WebCat2 (1997) Practice runs ? (1997) Three new problems, maybe a fourth (1997) WebCat editing, SiteGuard & SiteEdit (1997) delete after x (1998) WebCatalog can't find database (1997) FW: weird problem (2004) Re:2nd WebCatalog2 Feature Request (1996) Append..... doesn't (2000) [WebDNA] Question on table search (2011) [WebDNA] DNA suffix (2008) Ok here is a question? (1997) [date format] w/in sendmail (1997) RE: Redirect (1998) [searchString] (1997) 5.0 upgrade - config docs? (2003)