Re: defeating offline form posts
Offsite forms can be submitted to use your email templates as Here's the header you'd have to include. Referer: http://mywebsite.com/ Not too much to that, is there? Not if they are able to figure it out, which someone determined enough would probably eventually do. Fortunately my hacker-wannabe hasn't. What would be a better way to solve this problem? I don't want to require registration and login for someone who simply wants to send me a legitimate email, and besides registration and login require forms which themselves could be attack vectors. ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277701 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: defeating offline form posts
On Friday 11 May 2007, K Simanonok wrote: What would be a better way to solve this problem? Asking them a simple math question seems to be working well at the moment. -- Tom Chiverton Helping to advantageously repurpose edge-of-your-seat metrics on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277705 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: defeating offline form posts
At some stage this will be the only true solution: http://zapatopi.net/afdb/ On 5/11/07, K Simanonok [EMAIL PROTECTED] wrote: Offsite forms can be submitted to use your email templates as Here's the header you'd have to include. Referer: http://mywebsite.com/ Not too much to that, is there? Not if they are able to figure it out, which someone determined enough would probably eventually do. Fortunately my hacker-wannabe hasn't. What would be a better way to solve this problem? I don't want to require registration and login for someone who simply wants to send me a legitimate email, and besides registration and login require forms which themselves could be attack vectors. -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277704 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: defeating offline form posts
At some stage this will be the only true solution: http://zapatopi.net/afdb/ Hah! Indeed it will But until they make the model with the plastic-wrap inner-lining... there are plenty of transparent methods to try. Quite a few people have solved their spamming problem with a simple hidden field. I've explained it about 4000 times on this list but here goes 4001. 1) Place a normal field in your form with an enticing name like toaddress or email or whatever. 2) Put something like [EMAIL PROTECTED] in it or just leave it blank 3) Put a message next to it like Do not modify this field blah blah for the humanoids to see 4) wrap the field and the message inside a div and use CSS to set the div's display to 'none' 5) wrap a cfif around your cfmail that checks to see if the value of the field has been changed. If it has been changed, dont send the email, if it hasnt been, send it but either way... make it look like the email was sent. Bots tend to fill out all fields and will see this field very easily. A prick spammer who is manually using your form will also find it irresistible to play with a field with such an enticing name. This doesn't work with all spam. I'd say it has about a 50/50 success rate since I started using it and explaining it to others. It's definitely worth a shot since it only takes about 60 seconds to implement. Another easy deterrent is to analyze the content that your spammer is sending. Exampl: If your form has a separate field for first and last name, 90% of the time, those fields will have the same value in them and/or they put an email address in every field except textareas. A couple simple checks for any patterns you might find in your spam could quite possibly stop it as well. Either way, real users are clueless to the checks and uninterrupted by them in anyway. The key is to NOT let the spammer know if the email was sent or not. Making it look like it was a success keeps them from searching for another point of attack. If all else fails... http://acoderslife.com/downloads/bhcaptcha/ I know I wrote it, but I dont use it anywhere; I've never needed to. ;-) No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.467 / Virus Database: 269.6.8/797 - Release Date: 5/10/2007 5:10 PM ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277734 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: defeating offline form posts
A while back someone was having a problem with using cfhttp to login to an ASP site. There was huge debate on why this was happening. I haven't re-read it but I bet there are some extra methods in there for defeating offline form posts ( maybe even spam bots?) I think this was the post: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:48630 ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277745 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: defeating offline form posts
Many personal firewalls (e.g. Norton Internet Security) strip the referer info, so this may send a nasty message to legit users. Spoofing it is as easy as cfheader on CF and an equivalent in any other platform and if I were spamming I'd assume that I needed to set this to the online form location as a matter of course. On 5/10/07, K Simanonok wrote: I'm not sure how someone could spoof a domain name to defeat this, probably by screwing around with the headers but they'd have to know or be determined enough to figure out what they needed to do. Certainly you're not going to explain to them in your error message that they didn't submit the message from the proper page on your site, although they will know that and can experiment if they want. Did someone say that not all browsers will send HTTP_REFERER information? That could make this method less than ideal. -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~| ColdFusion MX7 by Adobe® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277576 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: defeating offline form posts
The referrer is unreliable. If it stopped your problem, that's good. But if the spammer figured out that all you were checking was the referrer, he'd be back in business fairly easily. He'd either spoof the referrer or simply use your form instead of a copy of it running somewhere else. -Original Message- From: K Simanonok [mailto:[EMAIL PROTECTED] Sent: Thursday, May 10, 2007 1:28 AM To: CF-Talk Subject: Re: defeating offline form posts At 03:10 AM 5/9/2007, Eric wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Noone has ever gained access this way as of yet, but we are studying possibilities, and this seems to me to be an attack vector. Any thoughts? A check to see if the referrer was the domain name/login file name? Or can that be spoofed as well then? Offsite forms can be submitted to use your email templates as Spam blasters or else to send Spam to you, and such submittals can be automated so they'll do their dirty work without any human intervention. I just recently had this problem with some creep attacking a site of mine with a robot every couple of hours and solved it this way: CFIF CGI.HTTP_REFERER DOES NOT CONTAIN http://mywebsite.com; Error message presented (mine is quite nasty) CFABORT /CFIF I'm not sure how someone could spoof a domain name to defeat this, probably by screwing around with the headers but they'd have to know or be determined enough to figure out what they needed to do. Certainly you're not going to explain to them in your error message that they didn't submit the message from the proper page on your site, although they will know that and can experiment if they want. Did someone say that not all browsers will send HTTP_REFERER information? That could make this method less than ideal. ... ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277591 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: defeating offline form posts
Offsite forms can be submitted to use your email templates as Spam blasters or else to send Spam to you, and such submittals can be automated so they'll do their dirty work without any human intervention. I just recently had this problem with some creep attacking a site of mine with a robot every couple of hours and solved it this way: CFIF CGI.HTTP_REFERER DOES NOT CONTAIN http://mywebsite.com; Error message presented (mine is quite nasty) CFABORT /CFIF I'm not sure how someone could spoof a domain name to defeat this, probably by screwing around with the headers but they'd have to know or be determined enough to figure out what they needed to do. Here's the header you'd have to include. Referer: http://mywebsite.com/ Not too much to that, is there? If you want to prevent people from running your code, that's what authentication and authorization is for. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277634 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: defeating offline form posts
On Wednesday 09 May 2007, Eric J. Hoffman wrote: authenticate filewhat is the best way to detect this and defeat it? Noone has ever gained access this way as of yet, but we are studying possibilities, and this seems to me to be an attack vector. What could they do by submitting the local form (with valid session ID embedded in it, cookies set from a real session etc. etc.) that they couldn't do by just being logged into the site anyway ? -- Tom Chiverton Helping to completely generate virtual IPOs on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277386 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: defeating offline form posts
Eric J. Hoffman wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Why do you care? Jochem ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277387 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: defeating offline form posts
What if the HTTP POST didn't get as far as ColdFusion? We have an ongoing case where the web server throws a 500 error, and we don't know why the page doesn't get to CF. thx Chris -- Original Message -- From: Ken Wexel [EMAIL PROTECTED] Reply-To: cf-talk@houseoffusion.com Date: Tue, 8 May 2007 23:26:01 -0400 When I ran into this problem previously, I'd set a value into the user session and set the same value as a hidden form field. On post, if the two didn't match, I knew the posting was invalid. Can be something as simple as a long numeric value.. On 5/8/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: That's where I startedbut the thing is, I think they can spoof that variable? Or not? Eric J. Hoffman Managing Partner 2081 Industrial Blvd StillwaterMN55082 mail: [EMAIL PROTECTED] www: http://www.ejhassociates.com tel: 651.717.4105 fax: 651.717.4101 mob: 651.245.2717 Adobe Solutions Partner Microsoft Certified Partner This message contains confidential information and is intended only for [EMAIL PROTECTED] If you are not cf-talk@houseoffusion.com you should not disseminate, distribute or copy this e-mail. Please notify [EMAIL PROTECTED] immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Eric J. Hoffman therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -Original Message- From: AJ Mercer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:53 PM To: CF-Talk Subject: Re: defeating offline form posts Have a look at the CGI variables in particular CGI.HTTP_REFERER This is the page before the current one - it should have your server details in there, other wise discard. On 5/9/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Noone has ever gained access this way as of yet, but we are studying possibilities, and this seems to me to be an attack vector. Any thoughts?A check to see if the referrer was the domain name/login file name? Or can that be spoofed as well then? Thanks~! Eric J. Hoffman Managing Partner 2081 Industrial Blvd StillwaterMN55082 mail: [EMAIL PROTECTED] www: http://www.ejhassociates.com tel: 651.717.4105 fax: 651.717.4101 mob: 651.245.2717 Adobe Solutions Partner Microsoft Certified Partner This message contains confidential information and is intended only for [EMAIL PROTECTED] If you are not cf-talk@houseoffusion.com you should not disseminate, distribute or copy this e-mail. Please notify [EMAIL PROTECTED] immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Eric J. Hoffman therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277394 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: defeating offline form posts
What if the HTTP POST didn't get as far as ColdFusion? We have an ongoing case where the web server throws a 500 error, and we don't know why the page doesn't get to CF. thx Chris -- Original Message -- From: Ken Wexel [EMAIL PROTECTED] Reply-To: cf-talk@houseoffusion.com Date: Tue, 8 May 2007 23:26:01 -0400 When I ran into this problem previously, I'd set a value into the user session and set the same value as a hidden form field. On post, if the two didn't match, I knew the posting was invalid. Can be something as simple as a long numeric value.. On 5/8/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: That's where I startedbut the thing is, I think they can spoof that variable? Or not? -Original Message- From: AJ Mercer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:53 PM To: CF-Talk Subject: Re: defeating offline form posts Have a look at the CGI variables in particular CGI.HTTP_REFERER This is the page before the current one - it should have your server details in there, other wise discard. On 5/9/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277396 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: defeating offline form posts
My thoughts exactly Jochem. What's the difference if they use their form or your form if the action template is what matters? -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 09, 2007 6:05 AM To: CF-Talk Subject: Re: defeating offline form posts Why do you care? Jochem No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.467 / Virus Database: 269.6.6/794 - Release Date: 5/8/2007 2:23 PM ~| ColdFusion MX7 by Adobe® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277398 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: defeating offline form posts
and have an active session with a matching key in the session scope.seems like it would be a lot of work to create the session, load the form, save the form locally, change the post path, spoof the session, etc. just to post it from somewhere else once. Not bulletproof, but worked well enough for my needs.. On 5/8/07, Maximilian Nyman [EMAIL PROTECTED] wrote: But the only thing I have to do to get around that is to hit the live form, do a View source, get the hidden values and update my local form with those hidden value(s). On 5/9/07, Ken Wexel [EMAIL PROTECTED] wrote: When I ran into this problem previously, I'd set a value into the user session and set the same value as a hidden form field. On post, if the two didn't match, I knew the posting was invalid. Can be something as simple as a long numeric value.. On 5/8/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: That's where I startedbut the thing is, I think they can spoof that variable? Or not? -Original Message- From: AJ Mercer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:53 PM To: CF-Talk Subject: Re: defeating offline form posts Have a look at the CGI variables in particular CGI.HTTP_REFERER This is the page before the current one - it should have your server details in there, other wise discard. On 5/9/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Noone has ever gained access this way as of yet, but we are studying possibilities, and this seems to me to be an attack vector. Any thoughts?A check to see if the referrer was the domain name/login file name? Or can that be spoofed as well then? Thanks~! ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277409 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: defeating offline form posts
On Wednesday 09 May 2007, Ken Wexel wrote: seems like it would be a lot of work to create the session, load the form, save the form locally, change the post path, spoof the session, etc. just to post it from somewhere else once. Depends on your threat profile. It only takes a geek an hour or so to automate the process and then distribute the Perl... :-) -- Tom Chiverton Helping to apprehensively brand integrated experiences on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277421 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: defeating offline form posts
Well, an automated process where they create spam accounts into the system? We could use CAPTCHA maybe, but a lot of users hate that. I was wondering if there was a good practice to additionally nail them in advance of captcha use, but maybe not...? Eric J. Hoffman Managing Partner 2081 Industrial Blvd StillwaterMN55082 mail: [EMAIL PROTECTED] www: http://www.ejhassociates.com tel: 651.717.4105 fax: 651.717.4101 mob: 651.245.2717 Adobe Solutions Partner Microsoft Certified Partner This message contains confidential information and is intended only for [EMAIL PROTECTED] If you are not cf-talk@houseoffusion.com you should not disseminate, distribute or copy this e-mail. Please notify [EMAIL PROTECTED] immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Eric J. Hoffman therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 09, 2007 5:05 AM To: CF-Talk Subject: Re: defeating offline form posts Eric J. Hoffman wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Why do you care? Jochem ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277432 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: defeating offline form posts
Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Noone has ever gained access this way as of yet, but we are studying possibilities, and this seems to me to be an attack vector. Echoing Jochem, why do you care? It's no more an attack vector than allowing public access to the form itself. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277436 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: defeating offline form posts
True...it's all relatively relative I supposed :) On 5/9/07, Tom Chiverton [EMAIL PROTECTED] wrote: On Wednesday 09 May 2007, Ken Wexel wrote: seems like it would be a lot of work to create the session, load the form, save the form locally, change the post path, spoof the session, etc. just to post it from somewhere else once. Depends on your threat profile. It only takes a geek an hour or so to automate the process and then distribute the Perl... :-) -- Tom Chiverton Helping to apprehensively brand integrated experiences on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277443 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: defeating offline form posts
It can be automated on your form just as easily as any copy of it. If repeated attempts is your worry, just limit access from a single IP to 1 submission every 1 minute or so. -Original Message- From: Eric J. Hoffman [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 09, 2007 12:14 PM To: CF-Talk Subject: RE: defeating offline form posts Well, an automated process where they create spam accounts into the system? We could use CAPTCHA maybe, but a lot of users hate that. I was wondering if there was a good practice to additionally nail them in advance of captcha use, but maybe not...? Eric J. Hoffman Managing Partner 2081 Industrial Blvd StillwaterMN55082 mail: [EMAIL PROTECTED] www: http://www.ejhassociates.com tel: 651.717.4105 fax: 651.717.4101 mob: 651.245.2717 Adobe Solutions Partner Microsoft Certified Partner This message contains confidential information and is intended only for [EMAIL PROTECTED] If you are not cf-talk@houseoffusion.com you should not disseminate, distribute or copy this e-mail. Please notify [EMAIL PROTECTED] immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Eric J. Hoffman therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 09, 2007 5:05 AM To: CF-Talk Subject: Re: defeating offline form posts Eric J. Hoffman wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Why do you care? Jochem ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277493 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: defeating offline form posts
At 03:10 AM 5/9/2007, Eric wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Noone has ever gained access this way as of yet, but we are studying possibilities, and this seems to me to be an attack vector. Any thoughts? A check to see if the referrer was the domain name/login file name? Or can that be spoofed as well then? Offsite forms can be submitted to use your email templates as Spam blasters or else to send Spam to you, and such submittals can be automated so they'll do their dirty work without any human intervention. I just recently had this problem with some creep attacking a site of mine with a robot every couple of hours and solved it this way: CFIF CGI.HTTP_REFERER DOES NOT CONTAIN http://mywebsite.com; Error message presented (mine is quite nasty) CFABORT /CFIF I'm not sure how someone could spoof a domain name to defeat this, probably by screwing around with the headers but they'd have to know or be determined enough to figure out what they needed to do. Certainly you're not going to explain to them in your error message that they didn't submit the message from the proper page on your site, although they will know that and can experiment if they want. Did someone say that not all browsers will send HTTP_REFERER information? That could make this method less than ideal. .. ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277572 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: defeating offline form posts
Have a look at the CGI variables in particular CGI.HTTP_REFERER This is the page before the current one - it should have your server details in there, other wise discard. On 5/9/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Noone has ever gained access this way as of yet, but we are studying possibilities, and this seems to me to be an attack vector. Any thoughts?A check to see if the referrer was the domain name/login file name? Or can that be spoofed as well then? Thanks~! Eric J. Hoffman Managing Partner 2081 Industrial Blvd StillwaterMN55082 mail: [EMAIL PROTECTED] www: http://www.ejhassociates.com tel: 651.717.4105 fax: 651.717.4101 mob: 651.245.2717 Adobe Solutions Partner Microsoft Certified Partner This message contains confidential information and is intended only for [EMAIL PROTECTED] If you are not cf-talk@houseoffusion.com you should not disseminate, distribute or copy this e-mail. Please notify [EMAIL PROTECTED] immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Eric J. Hoffman therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277371 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: defeating offline form posts
Put the session ID in the form and then check to see if the session has expired. Jaime Metcher -Original Message- From: Eric J. Hoffman [mailto:[EMAIL PROTECTED] Sent: Wednesday, 9 May 2007 12:44 PM To: CF-Talk Subject: defeating offline form posts Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Noone has ever gained access this way as of yet, but we are studying possibilities, and this seems to me to be an attack vector. Any thoughts?A check to see if the referrer was the domain name/login file name? Or can that be spoofed as well then? Thanks~! Eric J. Hoffman Managing Partner 2081 Industrial Blvd StillwaterMN55082 mail: [EMAIL PROTECTED] www: http://www.ejhassociates.com tel: 651.717.4105 fax: 651.717.4101 mob: 651.245.2717 Adobe Solutions Partner Microsoft Certified Partner This message contains confidential information and is intended only for [EMAIL PROTECTED] If you are not cf-talk@houseoffusion.com you should not disseminate, distribute or copy this e-mail. Please notify [EMAIL PROTECTED] immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Eric J. Hoffman therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277372 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: defeating offline form posts
That's where I startedbut the thing is, I think they can spoof that variable? Or not? Eric J. Hoffman Managing Partner 2081 Industrial Blvd StillwaterMN55082 mail: [EMAIL PROTECTED] www: http://www.ejhassociates.com tel: 651.717.4105 fax: 651.717.4101 mob: 651.245.2717 Adobe Solutions Partner Microsoft Certified Partner This message contains confidential information and is intended only for [EMAIL PROTECTED] If you are not cf-talk@houseoffusion.com you should not disseminate, distribute or copy this e-mail. Please notify [EMAIL PROTECTED] immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Eric J. Hoffman therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -Original Message- From: AJ Mercer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:53 PM To: CF-Talk Subject: Re: defeating offline form posts Have a look at the CGI variables in particular CGI.HTTP_REFERER This is the page before the current one - it should have your server details in there, other wise discard. On 5/9/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Noone has ever gained access this way as of yet, but we are studying possibilities, and this seems to me to be an attack vector. Any thoughts?A check to see if the referrer was the domain name/login file name? Or can that be spoofed as well then? Thanks~! Eric J. Hoffman Managing Partner 2081 Industrial Blvd StillwaterMN55082 mail: [EMAIL PROTECTED] www: http://www.ejhassociates.com tel: 651.717.4105 fax: 651.717.4101 mob: 651.245.2717 Adobe Solutions Partner Microsoft Certified Partner This message contains confidential information and is intended only for [EMAIL PROTECTED] If you are not cf-talk@houseoffusion.com you should not disseminate, distribute or copy this e-mail. Please notify [EMAIL PROTECTED] immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Eric J. Hoffman therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277373 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: defeating offline form posts
It's thoroughly unreliable even if not spoofed. Some browsers won't set it, some proxies will mask it or strip it out. Jaime Metcher -Original Message- From: Eric J. Hoffman [mailto:[EMAIL PROTECTED] Sent: Wednesday, 9 May 2007 1:02 PM To: CF-Talk Subject: RE: defeating offline form posts That's where I startedbut the thing is, I think they can spoof that variable? Or not? Eric J. Hoffman Managing Partner 2081 Industrial Blvd StillwaterMN55082 mail: [EMAIL PROTECTED] www: http://www.ejhassociates.com tel: 651.717.4105 fax: 651.717.4101 mob: 651.245.2717 Adobe Solutions Partner Microsoft Certified Partner This message contains confidential information and is intended only for [EMAIL PROTECTED] If you are not cf-talk@houseoffusion.com you should not disseminate, distribute or copy this e-mail. Please notify [EMAIL PROTECTED] immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Eric J. Hoffman therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -Original Message- From: AJ Mercer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:53 PM To: CF-Talk Subject: Re: defeating offline form posts Have a look at the CGI variables in particular CGI.HTTP_REFERER This is the page before the current one - it should have your server details in there, other wise discard. On 5/9/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Noone has ever gained access this way as of yet, but we are studying possibilities, and this seems to me to be an attack vector. Any thoughts?A check to see if the referrer was the domain name/login file name? Or can that be spoofed as well then? Thanks~! Eric J. Hoffman Managing Partner 2081 Industrial Blvd StillwaterMN55082 mail: [EMAIL PROTECTED] www: http://www.ejhassociates.com tel: 651.717.4105 fax: 651.717.4101 mob: 651.245.2717 Adobe Solutions Partner Microsoft Certified Partner This message contains confidential information and is intended only for [EMAIL PROTECTED] If you are not cf-talk@houseoffusion.com you should not disseminate, distribute or copy this e-mail. Please notify [EMAIL PROTECTED] immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Eric J. Hoffman therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277374 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: defeating offline form posts
When I ran into this problem previously, I'd set a value into the user session and set the same value as a hidden form field. On post, if the two didn't match, I knew the posting was invalid. Can be something as simple as a long numeric value.. On 5/8/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: That's where I startedbut the thing is, I think they can spoof that variable? Or not? Eric J. Hoffman Managing Partner 2081 Industrial Blvd StillwaterMN55082 mail: [EMAIL PROTECTED] www: http://www.ejhassociates.com tel: 651.717.4105 fax: 651.717.4101 mob: 651.245.2717 Adobe Solutions Partner Microsoft Certified Partner This message contains confidential information and is intended only for [EMAIL PROTECTED] If you are not cf-talk@houseoffusion.com you should not disseminate, distribute or copy this e-mail. Please notify [EMAIL PROTECTED] immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Eric J. Hoffman therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -Original Message- From: AJ Mercer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:53 PM To: CF-Talk Subject: Re: defeating offline form posts Have a look at the CGI variables in particular CGI.HTTP_REFERER This is the page before the current one - it should have your server details in there, other wise discard. On 5/9/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Noone has ever gained access this way as of yet, but we are studying possibilities, and this seems to me to be an attack vector. Any thoughts?A check to see if the referrer was the domain name/login file name? Or can that be spoofed as well then? Thanks~! Eric J. Hoffman Managing Partner 2081 Industrial Blvd StillwaterMN55082 mail: [EMAIL PROTECTED] www: http://www.ejhassociates.com tel: 651.717.4105 fax: 651.717.4101 mob: 651.245.2717 Adobe Solutions Partner Microsoft Certified Partner This message contains confidential information and is intended only for [EMAIL PROTECTED] If you are not cf-talk@houseoffusion.com you should not disseminate, distribute or copy this e-mail. Please notify [EMAIL PROTECTED] immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Eric J. Hoffman therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277375 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: defeating offline form posts
But the only thing I have to do to get around that is to hit the live form, do a View source, get the hidden values and update my local form with those hidden value(s). On 5/9/07, Ken Wexel [EMAIL PROTECTED] wrote: When I ran into this problem previously, I'd set a value into the user session and set the same value as a hidden form field. On post, if the two didn't match, I knew the posting was invalid. Can be something as simple as a long numeric value.. On 5/8/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: That's where I startedbut the thing is, I think they can spoof that variable? Or not? -Original Message- From: AJ Mercer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:53 PM To: CF-Talk Subject: Re: defeating offline form posts Have a look at the CGI variables in particular CGI.HTTP_REFERER This is the page before the current one - it should have your server details in there, other wise discard. On 5/9/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Noone has ever gained access this way as of yet, but we are studying possibilities, and this seems to me to be an attack vector. Any thoughts?A check to see if the referrer was the domain name/login file name? Or can that be spoofed as well then? Thanks~! ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277376 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
