Re: [WebDNA] preventing hackers from posting their own (altered) version of my form?

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102036
interpreted = N
texte = > sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he pleases? nothing at all The principle is right, but you would need to change the seed or the [topsecret] daily/hourly or even more frequently On one of our sites, we have a similar code to stop people hotlinking directly to a flash game We set a variable that is [math][insertHugePrimeNumberHere]%{[date]}[/ math] in hidden form, which the flash file also requests from another page when the time comes. You can find huge primes on this site http://primes.utm.edu/lists/small/small.html Another system would be to encrypt the date with some information in the form, such as a cart ref Therefore, your example below becomes And you pull that out the other side. The key is that the information has to change faster than a hacker can put it together, so either solution above will work. TC On 19 Feb 2009, at 19:39, Govinda wrote: > sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he > pleases? I don't see how we have stopped him at all. ?? > > Say if once we encrypt and url twice the string becomes this: > %9F%AE%26%13%60-b%E3%DE%85%9CvU%E3%7D1PaC%E6%1B%18%E2%7C > and so the hacker views the source and sees that and then stuffs his > own version of the form with that very string which will match our > controlled value on the other end once we unurl and decrypt. > > -G > > On Feb 19, 2009, at 12:03 PM, Dan Strong wrote: > >> Brilliant, and, as usual, much simpler than the solutions I have >> come up with. >> -Dan >> >> >> On Thu, 19 Feb 2009 12:52:46 -0600 >> Donovan Brooke wrote: >>> Dan Strong wrote: >>>> Do you mean: >>>> >>>> -Dan >>> Right, then on the receiving end, once you decrypt >>> "[nothingToSeeHere]", >>> if it doesn't match the controlled comparison text/number, then >>> you know the data is coming from somewhere other than your form. >>> Donovan >>> -- >>> Donovan D. Brooke PH: 1 (608) 770-3822 >>> ------------------------------------------------ >>> VP >>> WebDNA Software Corporation >>> 16192 Coastal Highway >>> Lewes, DE 19958 >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> old archives: http://dev.webdna.us/TalkListArchive/ >> >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> old archives: http://dev.webdna.us/TalkListArchive/ > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Stuart Tremain 2009)
  2. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Toby Cox 2009)
  3. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
  4. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Bob Minor 2009)
  5. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
  6. [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
> sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he pleases? nothing at all The principle is right, but you would need to change the seed or the [topsecret] daily/hourly or even more frequently On one of our sites, we have a similar code to stop people hotlinking directly to a flash game We set a variable that is [math][insertHugePrimeNumberHere]%{[date]}[/ math] in hidden form, which the flash file also requests from another page when the time comes. You can find huge primes on this site http://primes.utm.edu/lists/small/small.html Another system would be to encrypt the date with some information in the form, such as a cart ref Therefore, your example below becomes [url][url][encrypt seed=[cart]][date][/ encrypt][/url][/url]"> And you pull that out the other side. The key is that the information has to change faster than a hacker can put it together, so either solution above will work. TC On 19 Feb 2009, at 19:39, Govinda wrote: > sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he > pleases? I don't see how we have stopped him at all. ?? > > Say if once we encrypt and url twice the string becomes this: > %9F%AE%26%13%60-b%E3%DE%85%9CvU%E3%7D1PaC%E6%1B%18%E2%7C > and so the hacker views the source and sees that and then stuffs his > own version of the form with that very string which will match our > controlled value on the other end once we unurl and decrypt. > > -G > > On Feb 19, 2009, at 12:03 PM, Dan Strong wrote: > >> Brilliant, and, as usual, much simpler than the solutions I have >> come up with. >> -Dan >> >> >> On Thu, 19 Feb 2009 12:52:46 -0600 >> Donovan Brooke wrote: >>> Dan Strong wrote: >>>> Do you mean: >>>> [url][url] >>>> [encrypt seed=yourSeed][topSecret][/encrypt][/url][/url]"> >>>> -Dan >>> Right, then on the receiving end, once you decrypt >>> "[nothingToSeeHere]", >>> if it doesn't match the controlled comparison text/number, then >>> you know the data is coming from somewhere other than your form. >>> Donovan >>> -- >>> Donovan D. Brooke PH: 1 (608) 770-3822 >>> ------------------------------------------------ >>> VP >>> WebDNA Software Corporation >>> 16192 Coastal Highway >>> Lewes, DE 19958 >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> old archives: http://dev.webdna.us/TalkListArchive/ >> >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> old archives: http://dev.webdna.us/TalkListArchive/ > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ Toby Cox

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Bad Cookie / Internet Option / Internet Explorer (2004) remotely add + sign (1997) Sort Order on a page search (1997) PCS Frames (1997) addlineitems within formvariable loop (1998) Robert Minor duplicate mail (1997) Fwd: virtual domain and [listfile] paths and aliases (1998) ShowNext & Showif together (1999) Counter for SKUs viewed (2002) WebCatalog 2.0 & WebDNA docs in HTML ... (1997) Soft return (2001) Search puzzle...selectSearch2databases (2004) WebCat2b13MacPlugIn - syntax to convert date (1997) Summary search -- speed (1997) More on EudoraPro Email (1998) I'm new be kind (1997) SKU (1997) NetSplat and WebCat2 (1997) Security Hole - NetCloak Update (1998) showif and cart (1997)