Re: [WebDNA] preventing hackers from posting their own (altered) version of my form?

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102036
interpreted = N
texte = > sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he pleases? nothing at all The principle is right, but you would need to change the seed or the [topsecret] daily/hourly or even more frequently On one of our sites, we have a similar code to stop people hotlinking directly to a flash game We set a variable that is [math][insertHugePrimeNumberHere]%{[date]}[/ math] in hidden form, which the flash file also requests from another page when the time comes. You can find huge primes on this site http://primes.utm.edu/lists/small/small.html Another system would be to encrypt the date with some information in the form, such as a cart ref Therefore, your example below becomes And you pull that out the other side. The key is that the information has to change faster than a hacker can put it together, so either solution above will work. TC On 19 Feb 2009, at 19:39, Govinda wrote: > sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he > pleases? I don't see how we have stopped him at all. ?? > > Say if once we encrypt and url twice the string becomes this: > %9F%AE%26%13%60-b%E3%DE%85%9CvU%E3%7D1PaC%E6%1B%18%E2%7C > and so the hacker views the source and sees that and then stuffs his > own version of the form with that very string which will match our > controlled value on the other end once we unurl and decrypt. > > -G > > On Feb 19, 2009, at 12:03 PM, Dan Strong wrote: > >> Brilliant, and, as usual, much simpler than the solutions I have >> come up with. >> -Dan >> >> >> On Thu, 19 Feb 2009 12:52:46 -0600 >> Donovan Brooke wrote: >>> Dan Strong wrote: >>>> Do you mean: >>>> >>>> -Dan >>> Right, then on the receiving end, once you decrypt >>> "[nothingToSeeHere]", >>> if it doesn't match the controlled comparison text/number, then >>> you know the data is coming from somewhere other than your form. >>> Donovan >>> -- >>> Donovan D. Brooke PH: 1 (608) 770-3822 >>> ------------------------------------------------ >>> VP >>> WebDNA Software Corporation >>> 16192 Coastal Highway >>> Lewes, DE 19958 >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> old archives: http://dev.webdna.us/TalkListArchive/ >> >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> old archives: http://dev.webdna.us/TalkListArchive/ > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Stuart Tremain 2009)
  2. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Toby Cox 2009)
  3. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
  4. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Bob Minor 2009)
  5. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
  6. [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
> sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he pleases? nothing at all The principle is right, but you would need to change the seed or the [topsecret] daily/hourly or even more frequently On one of our sites, we have a similar code to stop people hotlinking directly to a flash game We set a variable that is [math][insertHugePrimeNumberHere]%{[date]}[/ math] in hidden form, which the flash file also requests from another page when the time comes. You can find huge primes on this site http://primes.utm.edu/lists/small/small.html Another system would be to encrypt the date with some information in the form, such as a cart ref Therefore, your example below becomes [url][url][encrypt seed=[cart]][date][/ encrypt][/url][/url]"> And you pull that out the other side. The key is that the information has to change faster than a hacker can put it together, so either solution above will work. TC On 19 Feb 2009, at 19:39, Govinda wrote: > sorry if I am dense.. but what stops a hacker from simply making > his own form and stuffing the 'nothingToSeeHere' input with that > long now url'ed string and manipulating the other vars as he > pleases? I don't see how we have stopped him at all. ?? > > Say if once we encrypt and url twice the string becomes this: > %9F%AE%26%13%60-b%E3%DE%85%9CvU%E3%7D1PaC%E6%1B%18%E2%7C > and so the hacker views the source and sees that and then stuffs his > own version of the form with that very string which will match our > controlled value on the other end once we unurl and decrypt. > > -G > > On Feb 19, 2009, at 12:03 PM, Dan Strong wrote: > >> Brilliant, and, as usual, much simpler than the solutions I have >> come up with. >> -Dan >> >> >> On Thu, 19 Feb 2009 12:52:46 -0600 >> Donovan Brooke wrote: >>> Dan Strong wrote: >>>> Do you mean: >>>> [url][url] >>>> [encrypt seed=yourSeed][topSecret][/encrypt][/url][/url]"> >>>> -Dan >>> Right, then on the receiving end, once you decrypt >>> "[nothingToSeeHere]", >>> if it doesn't match the controlled comparison text/number, then >>> you know the data is coming from somewhere other than your form. >>> Donovan >>> -- >>> Donovan D. Brooke PH: 1 (608) 770-3822 >>> ------------------------------------------------ >>> VP >>> WebDNA Software Corporation >>> 16192 Coastal Highway >>> Lewes, DE 19958 >>> --------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> archives: http://mail.webdna.us/list/talk@webdna.us >>> old archives: http://dev.webdna.us/TalkListArchive/ >> >> --------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> archives: http://mail.webdna.us/list/talk@webdna.us >> old archives: http://dev.webdna.us/TalkListArchive/ > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ Toby Cox

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

can WC render sites out? (1997) [WebDNA] BBEdit WebDNA Configuration.plist (Language Module) (2013) [WriteFile] problems (1997) WebCat2b13MacPlugIn - [showif][search][/showif] (1997) WebCat2b12 CGI Mac - [shownext] problem (1997) Cart Unique After Rolling Back Time? (2001) Need a link for 4.5; was: WebDNA 4.5.1 Now Available (2003) Re:2nd WebCatalog2 Feature Request (1996) Admin Section (2002) Navigator 4.01 (1997) Multiple Web Delivery Methods?? (1999) Dummy Credit Card Number for debug? (1997) multiple product databases (1997) Open Databases on Restart (1999) Fun with Dates - finally resolved but.... (1997) Rendering out a page (1997) OLD ORDERS (1998) Pithy questions on webcommerce & siteedit (1997) Displaying Location (1997) [WebDNA] [WSC] WebDNA Development Summit (2014)