Re: [WebDNA] preventing hackers from posting their own (altered)

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102037
interpreted = N
texte = Toby Cox wrote: >> sorry if I am dense.. but what stops a hacker from simply making his >> own form and stuffing the 'nothingToSeeHere' input with that long now >> url'ed string and manipulating the other vars as he pleases? > > > nothing at all > > The principle is right, but you would need to change the seed or the > [topsecret] daily/hourly or even more frequently > > On one of our sites, we have a similar code to stop people hotlinking > directly to a flash game > > We set a variable that is > [math][insertHugePrimeNumberHere]%{[date]}[/math] in hidden form, which > the flash file also requests from another page when the time comes. > > You can find huge primes on this site > http://primes.utm.edu/lists/small/small.html > > Another system would be to encrypt the date with some information in the > form, such as a cart ref > > Therefore, your example below becomes name="nothingToSeeHere" value="[url][url][encrypt > seed=[cart]][date][/encrypt][/url][/url]"> > > And you pull that out the other side. The key is that the information > has to change faster than a hacker can put it together, so either > solution above will work. > > > > TC Good Points by both... I think you could do a time based (session) forms thing, similar to Toby's, by making the value a date/time stamp, and then only allowing the parsing of the form on the receiving end if the unencrypted value is within the time frame alloted for the posting of the form. That would help anyway... but if you are wanting ultimate protection, I'm guessing the solution is a mixed bag that uses a few methods including some of the ideas mentioned.. such as, bot/script filtering (CAPTCHA), Bob's trick, etc..?? But you are right, I am stumped on an "easy" ([referrer]) like solution that is fool proof. Perhaps there is one, but I don't know of one off the top of my head. Authentication? ;-) Donovan -- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center PH:> (608) 770-3822 WEB:> http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Stuart Tremain 2009)
  2. Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009)
  3. Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009)
  4. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Toby Cox 2009)
  5. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
  6. Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009)
  7. Re: [WebDNA] preventing hackers from posting their own (altered) (Marc Thompson 2009)
  8. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Bob Minor 2009)
  9. Re: [WebDNA] preventing hackers from posting their own (altered) (Marc Thompson 2009)
  10. Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009)
  11. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
  12. [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
Toby Cox wrote: >> sorry if I am dense.. but what stops a hacker from simply making his >> own form and stuffing the 'nothingToSeeHere' input with that long now >> url'ed string and manipulating the other vars as he pleases? > > > nothing at all > > The principle is right, but you would need to change the seed or the > [topsecret] daily/hourly or even more frequently > > On one of our sites, we have a similar code to stop people hotlinking > directly to a flash game > > We set a variable that is > [math][insertHugePrimeNumberHere]%{[date]}[/math] in hidden form, which > the flash file also requests from another page when the time comes. > > You can find huge primes on this site > http://primes.utm.edu/lists/small/small.html > > Another system would be to encrypt the date with some information in the > form, such as a cart ref > > Therefore, your example below becomes name="nothingToSeeHere" value="[url][url][encrypt > seed=[cart]][date][/encrypt][/url][/url]"> > > And you pull that out the other side. The key is that the information > has to change faster than a hacker can put it together, so either > solution above will work. > > > > TC Good Points by both... I think you could do a time based (session) forms thing, similar to Toby's, by making the value a date/time stamp, and then only allowing the parsing of the form on the receiving end if the unencrypted value is within the time frame alloted for the posting of the form. That would help anyway... but if you are wanting ultimate protection, I'm guessing the solution is a mixed bag that uses a few methods including some of the ideas mentioned.. such as, bot/script filtering (CAPTCHA), Bob's trick, etc..?? But you are right, I am stumped on an "easy" ([referrer]) like solution that is fool proof. Perhaps there is one, but I don't know of one off the top of my head. Authentication? ;-) Donovan -- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center PH:> (608) 770-3822 WEB:> http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o Donovan Brooke

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Need hosting service (2000) Version 2.1.3 changes ... (1998) AD Error Msg (1997) failure to encrypt (or maybe decrypt) (1999) Browser Reloads and AddlineItem (1997) [ReturnRaw] and hiding FORM data (2003) [FoundItems] solved - thanks (1997) Date range (2006) Three Guesses? (2004) How flexible is Shipping? (1997) File Upload (1997) Location of Webcat site in folder hierarchy (1997) HELP WITH DATES (1997) Multiple prices (1997) More on the email templates (1997) Running _every_ page through WebCat ? (1997) Rendering out a page (1997) I have observed and I am gone. (1998) WebCatalog dying in WebTen (1998) Pithy questions on webcommerce & siteedit (1997)