How to protect your feedback form from attack?
Imagine such a situation.
You come to work, sit down to check your email, expecting to see a response from your partner, a little spam, but instead you see this: Inbox (164,532) .
')
The picture is naturally fake.
And all the mail came from the feedback form of your site. You have to figure out tens of thousands of letters, and even if they are easily identified and deleted, you will spend a huge amount of time resolving the issue, especially since you need to be careful not to miss the really necessary correspondence.
It is easy to calculate how many letters can come from the feedback form from just one computer of an attacker over the weekend.
On Friday, the working day ends at 18.00, suppose at 18.30 the office is locked. On Monday, the working day starts at 9.00, but the office is opened, for example, at 8.00. In total, we have 61.5 hours that an attacker would, without fear of a quick exposure, take up the case. Suppose it is spam (and you can even do it with a browser) in 10 threads, i.e. he can simultaneously send 10 letters. If he sends letters every three seconds, then on Monday morning, at 8.00, we will find 738,000 letters. Naturally, there may be more flows, the time between sending letters is less, and there may be dozens or even hundreds of computers involved in this process.
But the loss of time is not the worst thing that can happen, you can accidentally delete a client's letter, or an order from a director who is on a long trip. And the loss of such letters threatens not only the recovery from the employee, but also serious financial losses of the company.
Also, from the unfortunate consequences, serious problems may arise with the hosting provider on whose site your website is located. And if the message from the feedback form goes to the mailbox, which is located on another hosting site (especially if it is free), then your domain can fall into the black lists, from which it is rather troublesome to get out.
Similar forms of feedback literally flooded Runet. There are tens of thousands of them, which means that your company may be among them. And at any time your workflow can stop at the first wish of the attacker. After all, e-mail is in most cases the most important means of communication for many companies.
Unfortunately, punishing an attacker, even if you know exactly who it is, is almost impossible. Here is how one of the employees of the St. Petersburg computer crime department commented on this:
Now let's see how the vulnerable feedback form works.
In most cases, the feedback form sends information using the POST method, or directly via the mail () function. We will not go deep into the wilds, but these solutions sin with the possibility of automating the sending of a huge number of letters to the box that receives messages from the feedback form. Look at the warning from the Firefox2 browser about resending information to the server:
Mozilla Firefox 2.0.0.12 Browser
As you understand, simply pressing the F5 button on the keyboard will send you an email again. Well, automate this process, I repeat, is not at all difficult (at least with the help of Opera).
And now let's talk about how to correct the situation without abandoning the feedback form.
I offer five options, each option has both positive and negative sides.
Option number 1:
Option number 2:
Option number 3:
Option number 4:
Option number 5:
It is worth considering that there is still no absolute panacea, it’s just that these methods (which, by the way, can be easily upgraded, combined, etc.) will help to isolate themselves from the pranks of young and inexperienced network hooligans.
Thanks metalalisa metalalisa for the addition. To be honest, I wanted to write about captcha, I forgot :)
Cross post from my blog .
You come to work, sit down to check your email, expecting to see a response from your partner, a little spam, but instead you see this: Inbox (164,532) .
')
The picture is naturally fake.
And all the mail came from the feedback form of your site. You have to figure out tens of thousands of letters, and even if they are easily identified and deleted, you will spend a huge amount of time resolving the issue, especially since you need to be careful not to miss the really necessary correspondence.
It is easy to calculate how many letters can come from the feedback form from just one computer of an attacker over the weekend.
On Friday, the working day ends at 18.00, suppose at 18.30 the office is locked. On Monday, the working day starts at 9.00, but the office is opened, for example, at 8.00. In total, we have 61.5 hours that an attacker would, without fear of a quick exposure, take up the case. Suppose it is spam (and you can even do it with a browser) in 10 threads, i.e. he can simultaneously send 10 letters. If he sends letters every three seconds, then on Monday morning, at 8.00, we will find 738,000 letters. Naturally, there may be more flows, the time between sending letters is less, and there may be dozens or even hundreds of computers involved in this process.
But the loss of time is not the worst thing that can happen, you can accidentally delete a client's letter, or an order from a director who is on a long trip. And the loss of such letters threatens not only the recovery from the employee, but also serious financial losses of the company.
Also, from the unfortunate consequences, serious problems may arise with the hosting provider on whose site your website is located. And if the message from the feedback form goes to the mailbox, which is located on another hosting site (especially if it is free), then your domain can fall into the black lists, from which it is rather troublesome to get out.
Similar forms of feedback literally flooded Runet. There are tens of thousands of them, which means that your company may be among them. And at any time your workflow can stop at the first wish of the attacker. After all, e-mail is in most cases the most important means of communication for many companies.
Unfortunately, punishing an attacker, even if you know exactly who it is, is almost impossible. Here is how one of the employees of the St. Petersburg computer crime department commented on this:
In fact, today the sphere of computer crimes is a weak place in the legislation of the Russian Federation (and indeed in the world, by and large too) and so far not noticeable significant changes in this area.
At the moment we have three fundamental articles of the Criminal Code related directly to this area.
Chapter 28 of the Criminal Code of the Russian Federation .
Computer crimes
Article 272. Illegal access to computer information
Article 273. Creation, use and distribution of computer malware.
Article 274. Violation of the rules for operating a computer, computer system or their network
And an additional amendment to the federal law "On Advertising" dated March 13, 2006 No. 38-, introduced on July 1, 2007 :
Section 18. Advertising Distributed by Telecommunication Networks and Placed on Mailings
Thus, this action committed by a criminal falls under the effect of Article 274. Violation of the rules for operating a computer, computer system or their network, because with a sufficient number of requests, so-called DDoS-attack, entailing
(quote: the blocking of computer-protected information by law) and the POSSIBLE punishment, in the form of
(quote: deprivation of the right to occupy certain positions or engage in certain activities for up to five years, or compulsory work for a period of one hundred eighty to two hundred and forty hours, or restraint of liberty for up to two years.)
But in this particular case, the case will be terminated almost immediately, due to the actual absence of corpus delicti, since even if a suspect’s PC is withdrawn, it will be impossible to find traces of malicious actions that could not be described by the imperfections of this particular software installed on that PC.
Even if the injured party insists on continuing the investigation, it will be necessary with 100% accuracy to recreate a situation in which a similar situation may occur, as well as send a request to the software developer who most likely caused the crash and the software developers who directly interact with it. because the situation was not necessarily or can be caused only by one of the programs, and not by the error of their interaction. And this, in turn, may take more than one and not two years. Therefore, it is simply not possible to punish the criminal.
Now let's see how the vulnerable feedback form works.
In most cases, the feedback form sends information using the POST method, or directly via the mail () function. We will not go deep into the wilds, but these solutions sin with the possibility of automating the sending of a huge number of letters to the box that receives messages from the feedback form. Look at the warning from the Firefox2 browser about resending information to the server:
Mozilla Firefox 2.0.0.12 Browser
As you understand, simply pressing the F5 button on the keyboard will send you an email again. Well, automate this process, I repeat, is not at all difficult (at least with the help of Opera).
And now let's talk about how to correct the situation without abandoning the feedback form.
I offer five options, each option has both positive and negative sides.
Option number 1:
Ajax
Here are a few of them:
AJAX contact form - [ Description ] [ Demo ]
An AJAX contact form - [ Description ] [ Demo ]
Ajax.Form.Mootools - [ Description + Demo ]
Good: many ready-made examples; the message is sent without reloading the page;
Bad: if the user has javascript disabled, the form will not work.
Option number 2:
Redirect.
After sending the message - instant redirect to any other page, for example, to a page with a form. Above the form you can display a message that the letter has been sent.
This can be done in several ways, the most clumsy is through META tags:
<meta http-equiv = "refresh" content = "0; url = index.html">
Good: works, and in most cases helps;
Bad: this solution has disgusting usability.
Option number 3:
Work with the database.
The form sends the message not to the mailbox, but adds it to the database. Accordingly, it is possible to cut spam attempts simply and unpretentiously. For example, a record is not made to the database if the content completely matches the content of the previous message, provided that the senders have the same IP address, or from the same subnet. Here you can think of a lot of options. Messages from the feedback form can be integrated, for example, with CRM.
Good: in my opinion a very good defense;
It’s bad: the database is required, the script’s running time increases, the capacity requirements increase (if the site is popular, especially), you can still be deceived.
Option number 4:
Cookie.
When you click on the "send" button, you can record a cookie to the browser, in the presence of which you can only send the message again after a while.
Well: the way works, the potential amount of spam decreases;
Bad: cookies can be disabled (specifically or not - but you will not prohibit sending a message just because cookies are disabled), cookies can be erased automatically.
Option number 5:
Captcha.
Captcha (if it is not a curve) will save from spam through a feedback form.
Links will help you:
reCaptcha
CAPTCHA.ru
Cryptographp
w3captcha
Good: effective way;
The bad thing is that I personally am not comfortable with captcha, especially complex captcha can be recognized and circumvented.
It is worth considering that there is still no absolute panacea, it’s just that these methods (which, by the way, can be easily upgraded, combined, etc.) will help to isolate themselves from the pranks of young and inexperienced network hooligans.
Thanks metalalisa metalalisa for the addition. To be honest, I wanted to write about captcha, I forgot :)
Cross post from my blog .
Source: https://habr.com/ru/post/21934/
All Articles