The Vulnerability Of Modern Websites

5 replies
Hey Guys,

I have been thinking for a while at just how vulnerable websites are these days.

I have spent the past 8 years generating leads via websites using contact forms. In truth, the whole idea of a contact form is flawed.

Right now people use captcha to try and secure their forms from spam, but this will not protect them, especially against malicious attacks.

Lets say your business is setup around the concept that people visit your website, complete a form, and one of your sales guys calls him back to put the close on him.

This method works great, using telesales you can get much higher margins and close rates.

BUT... it is extremely vulnerable to attack.

Let me paint the following picture.

You get the phone book and input it into a database.
You create around 50 sentances related to the product of the victim

THEN... You create some software that...

- Scans for open proxies to use with submissions
- Completes forms on victims website using random details from the phone book (when they call them there will actually be someone with that name answering, imagine the wasted time!)
- Spins comments field using inputted sentances and thesarus alterations.
- Breaks any captcha they put on it

What can we do to protect against this?

I have thought about posibbly using java or flash to create the forms and randonly change the order and field names but even this wouldnt work. There are readily availbale libraries that can easily identify the sections by changing the monitor view to a jpg and detecting them.

Right now to get attacked like this is unlikely unless you piss off a programmer, but what about when inevitably someone, somewhere develops a "security tool" that automates this process.

What do we do then?

I'm not panicked or worried, its just that this has been buzzing round in my head. I really can't see any way to protect against it.

Are contact forms doomed to fail?
#modern #vulnerability #websites
  • Profile picture of the author radio
    this is really a far fetched concern - interesting theoretically, but not really an issue any time soon. and the solution for that? you just make more and more hoops for a person to jump through... get an auto dialer to auto dial the person a confirmation code that they must input, etc. etc. etc. - all it does it put more burden on the person requesting information. you weigh the extra time and effort that your staff has to go through to weed out the crap OR you weigh the risk of losing leads as a result of all the hoops you make that person jump through to confirm they are a real person.
    {{ DiscussionBoard.errors[1110279].message }}
  • Profile picture of the author GuerrillaIM
    It's far fetched until it happens to you. Just because it is not happening to you does not mean it doesn't happen. I have been the victim of this attack previously and have done the research involved to find out how it is done.

    I don't think it is that far in the future, if I wanted to I could release a tool like this within a couple of weeks. I would really like to think up a better security system than captcha.
    {{ DiscussionBoard.errors[1110396].message }}
  • Profile picture of the author CMartin
    Originally Posted by GuerrillaIM View Post

    Let me paint the following picture.

    You get the phone book and input it into a database.
    You create around 50 sentances related to the product of the victim

    THEN... You create some software that...

    - Scans for open proxies to use with submissions
    - Completes forms on victims website using random details from the phone book (when they call them there will actually be someone with that name answering, imagine the wasted time!)
    - Spins comments field using inputted sentances and thesarus alterations.
    - Breaks any captcha they put on it

    What can we do to protect against this?

    I have thought about posibbly using java or flash to create the forms and randonly change the order and field names but even this wouldnt work. There are readily availbale libraries that can easily identify the sections by changing the monitor view to a jpg and detecting them.

    Right now to get attacked like this is unlikely unless you piss off a programmer, but what about when inevitably someone, somewhere develops a "security tool" that automates this process.

    What do we do then?
    This is a "cat-and-mouse" game - every time you implement additional security or different ways of showing the forms, there will always be new/different ways to try to circumvent them.

    Implementing additional security may annoy new potential customers, so a better way maybe to do things in different ways in order to be more difficult to create automated software to fill and submit the forms. Some examples:
    - Instead of showing the capcha when the page loads, show it (by loading it via ajax) only after the user has entered data in the required fields;
    - Instead of showing the form when the page loads, delay it about 1/3 seconds (via ajax);
    - Create an additional hidden field with some kind of identifier that is appended to the form with a delay of 3 seconds (after the page is loaded) or when the user fills the required fields - again via ajax;
    - Use different type of captchas - instead of using a specific one, use several types that are applied randomly;
    - Use a flash object to store some identifier (using local storage) and check if the identifier is present after the form is submitted in the "thank you page". As flash stores the data in the same place for the same domain, is pretty easy to check if a specific machine has already submitted the form.

    The drawback from using any of these implementations is that it requires that javascript (and flash for the last) is enabled on the users' browser. If a "real" lead does not have it enabled...

    Anyway, whatever you implement you will never get a "bulletproof" system! If someone is determined to fill your forms with bogus data they will find always a way, either by using automated software, doing it themselves or even by outsourcing that job to several people

    Carlos
    {{ DiscussionBoard.errors[1111444].message }}
  • Profile picture of the author d101
    ... well, there is plenty of data that is sent with each page request aka submission.

    XSS attacks (cross site attacks) can be spotted easily. A good Server side script can validate the integrity of the submissions before processing them ... actually it could even pre-check the request before outputting the form fields ... since auto submission tools (web bots) rely often on knowing the field names ... which could be altered ... and so forth ...

    usually, a human user "does stuff" before entering data into a form field. that can be checked ... ... .... ;-)

    deep stuff. deep thinking. good monitoring. good analytical skills. but possible.
    {{ DiscussionBoard.errors[1128756].message }}
  • Profile picture of the author GuerrillaIM
    I like your take on this. Look for a human footprint.

    As long as JS is enabled you could monitor mouse movement, time on page etc..

    This could help you filter out attacks. And as long as you don't report to the attacker that you are filtering them, then this method should hold pretty good (unless they know what your doing).

    Thanks for contributing D101, I like this idea.
    {{ DiscussionBoard.errors[1128818].message }}

Trending Topics