The Form Security Cookie System
A method spammers and crackers can use to hijack forms is to replace some information that's used in outgoing email headers. The replacement is composed of a line feed, a Cc: or Bcc: followed by dozens or even thousands of email addresses along with the spammer's message.
See "The Hijacking of Master Form" at /a/25t/pl.pl?artref258 for a description of such a hijacking in action.
Master Series CGI programs have of course been updated to prevent such hijacking.
But there is another method that can be used to hijack certain types of forms. If the form user must provide an email address to send the form contents to, then the form is vulnerable. If the form also allows a message to be typed for the recipient, it is especially vulnerable.
With those types of forms, the hijacker doesn't even have to replace any outgoing email header lines, the form can be submitted as-is. It would be so very easy to make a script to automatically submit these types of forms.
To help prevent that kind of abuse, Master Recommend (now Master Recommend V3) and Master Recommend Pro V4 have been requiring the browser to provide the URL of the form before allowing the recommendation to be sent.
Some browsers, however, have anti-logging and privacy preferences set that won't allow the information to be provided to the script. A referrer check then prevents people from making recommendations. Also, some people's personal firewalls keep the browser from providing the referrer information.
Lost recommendations mean lost qualified visitors and can mean lost sales.
Some method was needed to ascertain the validity of form submissions.
After mulling it over from time to time following the Master Form hijacking incident mentioned above, I had the idea for a security cookie.
The Form Security Cookie System was designed for forms that, by their very nature, require the email address of a message receiver to be specified by the form user. Recommend-me type of web page forms obviously fall into this category -- the user is required to supply the email address of the person to send the recommendation to.
The system is designed to prevent automated submission of these types of forms by spammer's or cracker's programs.
It has already been implemented in Master Recommend V3 and Master Recommend Pro V4. The product description pages where you can obtain the programs are, respectively, at /a/25t/pl.pl?mr and /a/25t/pl.pl?mrp
Please upgrade as soon as possible.
There is no charge to download and use Master Recommend V3.
If you already own a license to Master Recommend Pro V4, there is no charge to upgrade. Otherwise, a license is $49. Proceeds from sales of Master Recommend Pro V4 are donated to charities helping the Lakota Sioux residing at the Pine Ridge Reservation -- a reservation encompassing the two most economically depressed counties of the United States of America.
How the Form Security Cookie System Works
When the recommend form is loaded into the user's browser, JavaScript determines a unique value for a cookie. It then:
-
Sets a cookie with that value in the user's browser. (The cookie can be read only by the domain that set it, which must be the same domain name that's specified in the JavaScript code itself.)
-
Stores the cookie value in the form's hidden field name="sc"
When the form is submitted, the form field name="sc" value is submitted to the recommend-me program along with the rest of the form values.
If the recommend-me program has been told to validate the security cookie, it then:
-
Verifies that a security cookie exists and that its value matches what arrived in the form's hidden field name="sc"
-
Verifies that the same security cookie has not previously been used. (Master Recommend V3 looks back five days. Master Recommend Pro V4 can be told how far back to look when the recommend-me form is generated.)
-
Changes the security cookie's value in the browser to "already used".
Because it works the way it does, the Form Security Cookie System requires that both the recommend-me form and the recommend-me program reside on the same domain.
Upgrading
If you're using either of our recommend-me programs, please upgrade as soon as possible. There is no charge to upgrade. The product description pages of Master Recommend V3 and Master Recommend Pro V4 are, respectively, at /a/25t/pl.pl?mr and /a/25t/pl.pl?mrp
Question:
Did you find this article interesting and understandable? How can it be improved?
Your response is anonymous.
When done typing, click anywhere outside the box. [more info]
Will Bontrager
©2004 Bontrager Connection, LLC
Please note:
Articles on this website are presented "as is". However -
If you have a question about a CGI script, HTML, CSS, PHP, or JavaScript
Ask one of our Experts and you'll have your answer!
Click here for details.
