Re: defeating offline form posts

A while back someone was having a problem with using cfhttp to login to an ASP site. There was huge debate on why this was happening. I haven't re-read it but I bet there are some extra methods in there for defeating offline form posts (& maybe even spam bots?) I think this was the post: http

RE: defeating offline form posts

> At some stage this will be the only true solution: > http://zapatopi.net/afdb/ Hah! Indeed it will But until they make the model with the plastic-wrap inner-lining... there are plenty of transparent methods to try. Quite a few people have solved their spamming problem with a simple hidden fiel

Re: defeating offline form posts

On Friday 11 May 2007, K Simanonok wrote: > What would be a better way to solve this problem? Asking them a simple math question seems to be working well at the moment. -- Tom Chiverton Helping to advantageously repurpose edge-of-your-seat metrics on: http://thefalken.livejournal.com *

Re: defeating offline form posts

At some stage this will be the only true solution: http://zapatopi.net/afdb/ On 5/11/07, K Simanonok <[EMAIL PROTECTED]> wrote: > >> Offsite forms can be submitted to use your email templates as > > > >Here's the header you'd have to include. > > > >Referer: http://mywebsite.com/ > > > >Not too m

Re: defeating offline form posts

>> Offsite forms can be submitted to use your email templates as > >Here's the header you'd have to include. > >Referer: http://mywebsite.com/ > >Not too much to that, is there? Not if they are able to figure it out, which someone determined enough would probably eventually do. Fortunately my h

RE: defeating offline form posts

> Offsite forms can be submitted to use your email templates as > Spam blasters or else to send Spam to you, and such > submittals can be automated so they'll do their dirty work > without any human intervention. I just recently had this > problem with some creep attacking a site of mine with

RE: defeating offline form posts

somewhere else. -Original Message- From: K Simanonok [mailto:[EMAIL PROTECTED] Sent: Thursday, May 10, 2007 1:28 AM To: CF-Talk Subject: Re: defeating offline form posts At 03:10 AM 5/9/2007, Eric wrote: > Curious question here. If I think about this, if someone takes a form of ours for login

Re: defeating offline form posts

Many personal firewalls (e.g. Norton Internet Security) strip the "referer" info, so this may send a nasty message to legit users. Spoofing it is as easy as on CF and an equivalent in any other platform and if I were spamming I'd assume that I needed to set this to the online form location as a m

Re: defeating offline form posts

At 03:10 AM 5/9/2007, Eric wrote: > Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and def

RE: defeating offline form posts

-Talk Subject: RE: defeating offline form posts Well, an automated process where they create spam accounts into the system? We could use CAPTCHA maybe, but a lot of users hate that. I was wondering if there was a good practice to additionally nail them in advance of captcha use, but maybe not

Re: defeating offline form posts

True...it's all relatively relative I supposed :) On 5/9/07, Tom Chiverton <[EMAIL PROTECTED]> wrote: > On Wednesday 09 May 2007, Ken Wexel wrote: > > seems like it would be a lot of work to create the session, > > load the form, save the form locally, change the post path, spoof the > > session

RE: defeating offline form posts

> Curious question here. If I think about this, if someone > takes a form of ours for login, for example, and makes a local > copy on their machineand they set the post action to be the > live server authenticate filewhat is the best way to detect > this and defeat it? Noone has ever

RE: defeating offline form posts

] Sent: Wednesday, May 09, 2007 5:05 AM To: CF-Talk Subject: Re: defeating offline form posts Eric J. Hoffman wrote: > Curious question here. If I think about this, if someone takes a form > of ours for login, for example, and makes a local copy on their > machineand they set the post act

Re: defeating offline form posts

On Wednesday 09 May 2007, Ken Wexel wrote: > seems like it would be a lot of work to create the session, > load the form, save the form locally, change the post path, spoof the > session, etc. just to post it from somewhere else once. Depends on your threat profile. It only takes a geek an hour

Re: defeating offline form posts

> -Original Message----- > > > > > > From: AJ Mercer [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, May 08, 2007 9:53 PM > > > To: CF-Talk > > > Subject: Re: defeating offline form posts > > > > > > Have a look at the CGI variables > &

RE: defeating offline form posts

My thoughts exactly Jochem. What's the difference if they use their form or your form if the action template is what matters? -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 09, 2007 6:05 AM To: CF-Talk Subject: Re: defeating offline form

Re: defeating offline form posts

? >>> -Original Message- >>> >>> From: AJ Mercer [mailto:[EMAIL PROTECTED] >>> Sent: Tuesday, May 08, 2007 9:53 PM >>> To: CF-Talk >>> Subject: Re: defeating offline form posts >>> >>> Have a look at the CGI

Re: defeating offline form posts

ise as a result of e-mail transmission. If >> verification is required please request a hard-copy version. >> >> >> -Original Message- >> >> From: AJ Mercer [mailto:[EMAIL PROTECTED] >> Sent:

Re: defeating offline form posts

Eric J. Hoffman wrote: > Curious question here. If I think about this, if someone takes a form > of ours for login, for example, and makes a local copy on their > machineand they set the post action to be the live server > authenticate filewhat is the best way to detect this and defeat it

Re: defeating offline form posts

On Wednesday 09 May 2007, Eric J. Hoffman wrote: > authenticate filewhat is the best way to detect this and defeat it? > Noone has ever gained access this way as of yet, but we are studying > possibilities, and this seems to me to be an attack vector. What could they do by submitting the local

Re: defeating offline form posts

That's where I startedbut the thing is, I think they can spoof that > > variable? Or not? > > > > > > -Original Message- > > > > From: AJ Mercer [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, May 08, 2007 9:53 PM > > To: CF-

Re: defeating offline form posts

any errors or omissions in the > contents of this message, which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. > > > -Original Message----- > > From: AJ Mercer [mail

RE: defeating offline form posts

accept liability for any errors or omissions in the contents > of this message, which arise as a result of e-mail transmission. > If verification is required please request a hard-copy version. > > > -----Original Message

RE: defeating offline form posts

rsion. -Original Message- From: AJ Mercer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:53 PM To: CF-Talk Subject: Re: defeating offline form posts Have a look at the CGI variables in particular CGI.HTTP_REFERER This is the

RE: defeating offline form posts

Put the session ID in the form and then check to see if the session has expired. Jaime Metcher > -Original Message- > From: Eric J. Hoffman [mailto:[EMAIL PROTECTED] > Sent: Wednesday, 9 May 2007 12:44 PM > To: CF-Talk > Subject: defeating offline form posts > > > Curious question here.

Re: defeating offline form posts

Have a look at the CGI variables in particular CGI.HTTP_REFERER This is the page before the current one - it should have your server details in there, other wise discard. On 5/9/07, Eric J. Hoffman <[EMAIL PROTECTED]> wrote: > > Curious question here. If I think about this, if someone takes a f