Secure Web Forms

Security on line is a responsibility.
A responsibility that should be taken seriously.
One area that many sites fall down on is when they engage their readership, ask for input.
A web form is one of the absolute easiest mechanisms to set up on a web service, certainly one of the most useful. But so many abuses are possible.
Most serious is the SQL injection and similar attacks that allow data/system breaches.
Sometimes though the low end, inconveniences, need to be addresses. Properly.
SpamBot
There are tools out there specifically designed to hunt out web forms an test them. Yes, they’ll check the whole dammit of SQL injection techniques but just as valuable can be the free entry form itself.
Consider a very simple “contact us” form. It will normally contain the following:

• Product/site interest
• User name
• User email address
• Comment

Programmatically we can protect the database and system from SQL injection and buffer overflows etc. But we have left the form open to huge abuse: as an open Spam Engine.
How it works
Very simply. The SpamBot finds the web form and posts the requested details using an email address that it can check. It may try this in several ways, several times, using several addresses.
A footprint is generated indicating what is possible though the web form.
Phase three is to abuse the web form. The form completed many many times with innocent people’s details and the comment completed with the spam data, “Eat Spam at Joe’s“.
Now as the comment is processed there is a huge probability that you have sent a confirmation to the sender, which is what the spambot was checking for earlier. As the form was filled in all those innocent recipients you’ve just sent a huge spam attack.
Not the spambot – you. Your web form, your web server, your mail server, your IP address, your mail domain.
Your reputation!
Protection Mechanisms
Cost
Well, always the best solution here is to make it expensive for the spambot to use the web form. Spam engines use you as a launch pad for two reason: reputation and cost effectiveness.
You have a good mail reputation. Your mail is trusted, at least until after the first spambot attack.
Your web form is hosted by you, uses your resources (bandwidth, CPU, etc). The spambot itself is cheap and easy to run.
So we make our web form expensive. How?

• Time
• Processing
• Insist on confirmation

Increasing load time
Sounds all wrong, doesn’t it? Absolutely. We are all told that the web needs to be faster and faster. But there are exceptions. A spambot is looking for a quick quick quick process. Any delay can massively reduce it’s effectiveness. Conversely, though we are taught otherwise, real users can accommodate short delays, possibly not even notice them. So we deliberately add a delay, hold the connection open.
There is a cost involved, the server can process fewer concurrent users as a result. But the benefits are pretty good. Put a small delay of say 5 seconds in and most users wouldn’t notice, but the web form has taken maybe ten times longer to load, maybe far more. For spambots this is poison, slowing them down, less efficient. Thus they bailout before they get to enter the opportunity to populate the form.
Processing
Making the user’s machine do some arbitrary work is especially effective. The best way is to ask for some processing that’s relatively easy for a human but difficult or costly for a computer. The classic is the Captcha text or it’s little brother, Turing numbers.
Each of these require interpretation, thus processing.
Captcha is the more professional solution, with obfuscated random text displayed in a dynamic image.
Request Confirmation
Here we insist on a sign up system.
To send a comment you must vouch that the email address is valid.
Never ask for or send a comment to an address until this generic, preordained process has been completed. Insist that comment are processed only through a recognised verified address.
This means the spammer can only spam themselves.
Final Note
Always look out for the antispam solutions available on your portal or technology and ask around the forums, product support and industry specialists to see if the problem had already been solved.
Good luck – it’s a hard nut to crack.

—–