A while back someone was having a problem with using cfhttp to login to an ASP
site.
There was huge debate on why this was happening. I haven't re-read it but I bet
there are some extra methods in there for defeating offline form posts (& maybe
even spam bots?)
I think this was the post:
http
> At some stage this will be the only true solution:
> http://zapatopi.net/afdb/
Hah! Indeed it will
But until they make the model with the plastic-wrap inner-lining... there
are plenty of transparent methods to try. Quite a few people have solved
their spamming problem with a simple hidden fiel
On Friday 11 May 2007, K Simanonok wrote:
> What would be a better way to solve this problem?
Asking them a simple math question seems to be working well at the moment.
--
Tom Chiverton
Helping to advantageously repurpose edge-of-your-seat metrics
on: http://thefalken.livejournal.com
*
At some stage this will be the only true solution:
http://zapatopi.net/afdb/
On 5/11/07, K Simanonok <[EMAIL PROTECTED]> wrote:
> >> Offsite forms can be submitted to use your email templates as
> >
> >Here's the header you'd have to include.
> >
> >Referer: http://mywebsite.com/
> >
> >Not too m
>> Offsite forms can be submitted to use your email templates as
>
>Here's the header you'd have to include.
>
>Referer: http://mywebsite.com/
>
>Not too much to that, is there?
Not if they are able to figure it out, which someone determined enough would
probably eventually do. Fortunately my h
> Offsite forms can be submitted to use your email templates as
> Spam blasters or else to send Spam to you, and such
> submittals can be automated so they'll do their dirty work
> without any human intervention. I just recently had this
> problem with some creep attacking a site of mine with
somewhere else.
-Original Message-
From: K Simanonok [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 10, 2007 1:28 AM
To: CF-Talk
Subject: Re: defeating offline form posts
At 03:10 AM 5/9/2007, Eric wrote:
> Curious question here. If I think about this, if someone takes a form
of ours for login
Many personal firewalls (e.g. Norton Internet Security) strip the
"referer" info, so this may send a nasty message to legit users.
Spoofing it is as easy as on CF and an equivalent in any
other platform and if I were spamming I'd assume that I needed to set
this to the online form location as a m
At 03:10 AM 5/9/2007, Eric wrote:
> Curious question here. If I think about this, if someone takes a form
of ours for login, for example, and makes a local copy on their
machineand they set the post action to be the live server
authenticate filewhat is the best way to detect this and def
-Talk
Subject: RE: defeating offline form posts
Well, an automated process where they create spam accounts into the system?
We could use CAPTCHA maybe, but a lot of users hate that. I was wondering
if there was a good practice to additionally nail them in advance of captcha
use, but maybe not
True...it's all relatively relative I supposed :)
On 5/9/07, Tom Chiverton <[EMAIL PROTECTED]> wrote:
> On Wednesday 09 May 2007, Ken Wexel wrote:
> > seems like it would be a lot of work to create the session,
> > load the form, save the form locally, change the post path, spoof the
> > session
> Curious question here. If I think about this, if someone
> takes a form of ours for login, for example, and makes a local
> copy on their machineand they set the post action to be the
> live server authenticate filewhat is the best way to detect
> this and defeat it? Noone has ever
]
Sent: Wednesday, May 09, 2007 5:05 AM
To: CF-Talk
Subject: Re: defeating offline form posts
Eric J. Hoffman wrote:
> Curious question here. If I think about this, if someone takes a form
> of ours for login, for example, and makes a local copy on their
> machineand they set the post act
On Wednesday 09 May 2007, Ken Wexel wrote:
> seems like it would be a lot of work to create the session,
> load the form, save the form locally, change the post path, spoof the
> session, etc. just to post it from somewhere else once.
Depends on your threat profile.
It only takes a geek an hour
> -Original Message-----
> > >
> > > From: AJ Mercer [mailto:[EMAIL PROTECTED]
> > > Sent: Tuesday, May 08, 2007 9:53 PM
> > > To: CF-Talk
> > > Subject: Re: defeating offline form posts
> > >
> > > Have a look at the CGI variables
> &
My thoughts exactly Jochem. What's the difference if they use their form or
your form if the action template is what matters?
-Original Message-
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 09, 2007 6:05 AM
To: CF-Talk
Subject: Re: defeating offline form
?
>>> -Original Message-
>>>
>>> From: AJ Mercer [mailto:[EMAIL PROTECTED]
>>> Sent: Tuesday, May 08, 2007 9:53 PM
>>> To: CF-Talk
>>> Subject: Re: defeating offline form posts
>>>
>>> Have a look at the CGI
ise as a result of e-mail transmission. If
>> verification is required please request a hard-copy version.
>>
>>
>> -Original Message-
>>
>> From: AJ Mercer [mailto:[EMAIL PROTECTED]
>> Sent:
Eric J. Hoffman wrote:
> Curious question here. If I think about this, if someone takes a form
> of ours for login, for example, and makes a local copy on their
> machineand they set the post action to be the live server
> authenticate filewhat is the best way to detect this and defeat it
On Wednesday 09 May 2007, Eric J. Hoffman wrote:
> authenticate filewhat is the best way to detect this and defeat it?
> Noone has ever gained access this way as of yet, but we are studying
> possibilities, and this seems to me to be an attack vector.
What could they do by submitting the local
That's where I startedbut the thing is, I think they can spoof that
> > variable? Or not?
> >
> >
> > -Original Message-
> >
> > From: AJ Mercer [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, May 08, 2007 9:53 PM
> > To: CF-
any errors or omissions in the
> contents of this message, which arise as a result of e-mail transmission. If
> verification is required please request a hard-copy version.
>
>
> -Original Message-----
>
> From: AJ Mercer [mail
accept liability for any errors or omissions in the contents
> of this message, which arise as a result of e-mail transmission.
> If verification is required please request a hard-copy version.
>
>
> -----Original Message
rsion.
-Original Message-
From: AJ Mercer [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 08, 2007 9:53 PM
To: CF-Talk
Subject: Re: defeating offline form posts
Have a look at the CGI variables
in particular CGI.HTTP_REFERER
This is the
Put the session ID in the form and then check to see if the session has
expired.
Jaime Metcher
> -Original Message-
> From: Eric J. Hoffman [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, 9 May 2007 12:44 PM
> To: CF-Talk
> Subject: defeating offline form posts
>
>
> Curious question here.
Have a look at the CGI variables
in particular CGI.HTTP_REFERER
This is the page before the current one - it should have your server details
in there, other wise discard.
On 5/9/07, Eric J. Hoffman <[EMAIL PROTECTED]> wrote:
>
> Curious question here. If I think about this, if someone takes a f
26 matches
Mail list logo