Preventing Spoofed Form Submissions

Forum Moderators: phranque

Message Too Old, No Replies

Preventing Spoofed Form Submissions

Jack_Frost

8:57 pm on Nov 13, 2006 (gmt 0)

Does anyone have information on how to prevent a contact form from being filled out with erroneous information? We have JavaScript validation for the actual form and use an asp session variable to match the form with the data, yet we still receive numerous e-mails a day that are submitted via our contact form.

All fields have the same data which is usually either a url string or an e-mail address.

Any advise or links to information would be greatly appreciated.

Thanks in advance.

TheSeoGuy

9:01 pm on Nov 13, 2006 (gmt 0)

We are having the same issue.

This happens many times throughout the day and we have yet to find a way to prevent it.

TheSeoGuy

9:03 pm on Nov 13, 2006 (gmt 0)

CAPTCHA would be a possibility, but there are usability issues with that approach.

BeeDeeDubbleU

9:54 pm on Nov 13, 2006 (gmt 0)

I had this problem a few weeks ago and asked the same question. Someone suggested asking enquirers to answer a simple question like "what is four plus three"? The right answer is presented in a drop down list with a few options.

I tried this and included an explanation beside the question to explain why we were doing it. It all sounds too simple but it has worked for me so far.

eelixduppy

9:57 pm on Nov 13, 2006 (gmt 0)

Related thread: [webmasterworld.com...]

>>>"what is four plus three"?

You can also use randomly generated numbers to sum that you pass to the next page for validation ;)

TheSeoGuy

10:58 pm on Nov 13, 2006 (gmt 0)

Thanks for the tips.

eelixduppy, I have a session variable that I set and pass on the form and then verify on the processing page, but somehow, the generic submissions are bypassing this...

Jimmyco

6:40 pm on Nov 14, 2006 (gmt 0)

Server side validation. If you know php you can write one heck of a script to stop this.

pixeltierra

2:02 am on Nov 15, 2006 (gmt 0)

I think one could get around the random number trick by "opening" the form with scripting via http and manipulate the data with the proper random #s

jtara

2:28 am on Nov 15, 2006 (gmt 0)

Javascript validation is not secure. You cannot depend on it. You cannot count on the user having Javascript turned on, nor can you trust the user not to modify the Javascript.

Javascript validation is there for the convenience of the user. Server-side validation is for the protection of the server. Don't skip the latter.

milanmk

5:24 am on Nov 15, 2006 (gmt 0)

Continuing to jtara�s opinion, do not trust any inputs from your users and do validation on each and every input from them.

Check for minimum and maximum form values.
Check for type of values (numeric, string, url).
Clean them before using it for database query.
Do not use same table attributes as that of form fields.
Unset session variables when not required.
When using sessions, add remote ip check for session hijacking attacks.

I do not guarantee that this will permanently resolve your problem but it will definitely stop 90% of the form attacks.

Milan

TheSeoGuy

2:39 pm on Nov 15, 2006 (gmt 0)

jtara & milanmk,

I have been utilizing Javascript as you said, but my reasoning was more to avoid unnecessary round trips to the server.

milanmk... what do you mean by "Do not use same table attributes as that of form fields."

Thanks.