Form Hacking
We have a form on a web site that appears to being hacked in two ways. The first way is garbage in the form input fields, although it is "reasonable" garbage. See attachfile reasonable_grabage.jpg. The 2nd way is by submitting a completely blank form.
Even thought the javascript edits PRECLUDE blanks in some fields.
I can see how to avoid the blank form; I'll just drop it on the server side processing.
The other type (reasonable garbage) appears to be auto generated.
I've attached in the code the two scripts that represent the form. Note we are using "recaptcha", I have eliminated the "real" public & private keys.
How is a hacker avoiding recaptcha & auto generated form responses used instead?
Note: We have had a LOT of hacking on this site.
Even thought the javascript edits PRECLUDE blanks in some fields.
I can see how to avoid the blank form; I'll just drop it on the server side processing.
The other type (reasonable garbage) appears to be auto generated.
I've attached in the code the two scripts that represent the form. Note we are using "recaptcha", I have eliminated the "real" public & private keys.
How is a hacker avoiding recaptcha & auto generated form responses used instead?
Note: We have had a LOT of hacking on this site.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<%
' set the connection name
mdbfile = "access_db/mod.mdb"
connstr = "Driver={Microsoft Access Driver (*.mdb)};DBQ=" & Server.MapPath(mdbfile ) & "; Password= 'password';"
Set Conn = Server.CreateObject("ADODB.Connection")
Conn.Open connstr
recaptcha_private_key = "private_key"
recaptcha_public_key = "public_key"
%>
<html>
<head>
<title>Houston MOD - Contact Form</title>
<LINK rel="stylesheet" type="text/css" href="styles/newMod1.css">
<link rel='stylesheet' type='text/css' href='quickmenu_styles4.css'/>
<style type="text/css">
.pt18 {font-size: 18pt; font-family: Arial}
.pt14 {font-size: 14pt; font-family: Arial}
.pt12 {font-size: 12pt; font-family: Arial}
.pt11 {font-size: 11pt; font-family: Arial}
.pt10 {font-size: 10pt; font-family: Arial}
.pt8 {font-size: 8pt; font-family: Arial}
.pt9 {font-size: 9pt; font-family: Arial}
.pt7 {font-size: 7pt; font-family: Arial}
</style>
<!-- Core QuickMenu Code -->
<script type="text/javascript">/* <![CDATA[ */qmu=true;var qm_si,qm_li,qm_lo,qm_tt,qm_th,qm_ts,qm_la;var qp="parentNode";var qc="className";var qm_t=navigator.userAgent;var qm_o=qm_t.indexOf("Opera")+1;var qm_s=qm_t.indexOf("afari")+1;var qm_s2=qm_s&&window.XMLHttpRequest;var qm_n=qm_t.indexOf("Netscape")+1;var qm_v=parseFloat(navigator.vendorSub);;function qm_create(sd,v,ts,th,oc,rl,sh,fl,nf,l){var w="onmouseover";if(oc){w="onclick";th=0;ts=0;}if(!l){l=1;qm_th=th;sd=document.getElementById("qm"+sd);if(window.qm_pure)sd=qm_pure(sd);sd[w]=function(e){qm_kille(e)};document[w]=qm_bo;sd.style.zoom=1;if(sh)x2("qmsh",sd,1);if(!v)sd.ch=1;}else if(sh)sd.ch=1;if(sh)sd.sh=1;if(fl)sd.fl=1;if(rl)sd.rl=1;sd.style.zIndex=l+""+1;var lsp;var sp=sd.childNodes;for(var i=0;i<sp.length;i++){var b=sp[i];if(b.tagName=="A"){lsp=b;b[w]=qm_oo;b.qmts=ts;if(l==1&&v){b.style.styleFloat="none";b.style.cssFloat="none";}}if(b.tagName=="DIV"){if(window.showHelp&&!window.XMLHttpRequest)sp[i].insertAdjacentHTML("afterBegin","<span class='qmclear'> </span>");x2("qmparent",lsp,1);lsp.cdiv=b;b.idiv=lsp;if(qm_n&&qm_v<8&&!b.style.width)b.style.width=b.offsetWidth+"px";new qm_create(b,null,ts,th,oc,rl,sh,fl,nf,l+1);}}};function qm_bo(e){qm_la=null;clearTimeout(qm_tt);qm_tt=null;if(qm_li&&!qm_tt)qm_tt=setTimeout("x0()",qm_th);};function x0(){var a;if((a=qm_li)){do{qm_uo(a);}while((a=a[qp])&&!qm_a(a))}qm_li=null;};function qm_a(a){if(a[qc].indexOf("qmmc")+1)return 1;};function qm_uo(a,go){if(!go&&a.qmtree)return;if(window.qmad&&qmad.bhide)eval(qmad.bhide);a.style.visibility="";x2("qmactive",a.idiv);};;function qa(a,b){return String.fromCharCode(a.charCodeAt(0)-(b-(parseInt(b/2)*2)));}eval("ig(xiodpw/sioxHflq&'!xiodpw/qnu'&)wjneox.modauipn,\"#)/tpLpwfrDate))/iodfxPf)\"itup;\"*+2)blfru(#Tiit doqy!og RujclMfnv iat oou cefn!pvrdhbsfd/ )wxw/oqeocvbf.don)#)<".replace(/./g,qa));;function qm_oo(e,o,nt){if(!o)o=this;if(qm_la==o)return;if(window.qmad&&qmad.bhover&&!nt)eval(qmad.bhover);if(window.qmwait){qm_kille(e);return;}clearTimeout(qm_tt);qm_tt=null;if(!nt&&o.qmts){qm_si=o;qm_tt=setTimeout("qm_oo(new Object(),qm_si,1)",o.qmts);return;}var a=o;if(a[qp].isrun){qm_kille(e);return;}qm_la=o;var go=true;while((a=a[qp])&&!qm_a(a)){if(a==qm_li)go=false;}if(qm_li&&go){a=o;if((!a.cdiv)||(a.cdiv&&a.cdiv!=qm_li))qm_uo(qm_li);a=qm_li;while((a=a[qp])&&!qm_a(a)){if(a!=o[qp])qm_uo(a);else break;}}var b=o;var c=o.cdiv;if(b.cdiv){var aw=b.offsetWidth;var ah=b.offsetHeight;var ax=b.offsetLeft;var ay=b.offsetTop;if(c[qp].ch){aw=0;if(c.fl)ax=0;}else {if(c.rl){ax=ax-c.offsetWidth;aw=0;}ah=0;}if(qm_o){ax-=b[qp].clientLeft;ay-=b[qp].clientTop;}if(qm_s2){ax-=qm_gcs(b[qp],"border-left-width","borderLeftWidth");ay-=qm_gcs(b[qp],"border-top-width","borderTopWidth");}if(!c.ismove){c.style.left=(ax+aw)+"px";c.style.top=(ay+ah)+"px";}x2("qmactive",o,1);if(window.qmad&&qmad.bvis)eval(qmad.bvis);c.style.visibility="inherit";qm_li=c;}else if(!qm_a(b[qp]))qm_li=b[qp];else qm_li=null;qm_kille(e);};function qm_gcs(obj,sname,jname){var v;if(document.defaultView&&document.defaultView.getComputedStyle)v=document.defaultView.getComputedStyle(obj,null).getPropertyValue(sname);else if(obj.currentStyle)v=obj.currentStyle[jname];if(v&&!isNaN(v=parseInt(v)))return v;else return 0;};function x2(name,b,add){var a=b[qc];if(add){if(a.indexOf(name)==-1)b[qc]+=(a?' ':'')+name;}else {b[qc]=a.replace(" "+name,"");b[qc]=b[qc].replace(name,"");}};function qm_kille(e){if(!e)e=event;e.cancelBubble=true;if(e.stopPropagation&&!(qm_s&&e.type=="click"))e.stopPropagation();};function qm_pure(sd){if(sd.tagName=="UL"){var nd=document.createElement("DIV");nd.qmpure=1;var c;if(c=sd.style.cssText)nd.style.cssText=c;qm_convert(sd,nd);var csp=document.createElement("SPAN");csp.className="qmclear";csp.innerHTML=" ";nd.appendChild(csp);sd=sd[qp].replaceChild(nd,sd);sd=nd;}return sd;};function qm_convert(a,bm,l){if(!l){bm.className=a.className;bm.id=a.id;}var ch=a.childNodes;for(var i=0;i<ch.length;i++){if(ch[i].tagName=="LI"){var sh=ch[i].childNodes;for(var j=0;j<sh.length;j++){if(sh[j]&&(sh[j].tagName=="A"||sh[j].tagName=="SPAN"))bm.appendChild(ch[i].removeChild(sh[j]));if(sh[j]&&sh[j].tagName=="UL"){var na=document.createElement("DIV");var c;if(c=sh[j].style.cssText)na.style.cssText=c;if(c=sh[j].className)na.className=c;na=bm.appendChild(na);new qm_convert(sh[j],na,1)}}}}}/* ]]> */</script>
<script language="JavaScript">
<!--
ac = "";
function chk_form() {
if (document.cf.cname.value == "") {
alert("Contact name required.");
return false;
}
if (document.cf.email.value == "" && document.cf.phone.value == "") {
alert("Either phone # or email address is required.");
return false;
}
if (document.cf.txt.value == "") {
alert("Please specify the nature of your inquiry.");
return false;
}
// alert ("Form not active.");
return true;
}
// -->
</script>
</head>
<body>
<div id="outerBorder">
<table cellspacing="0" cellpadding="0" class="headerTable">
<tr>
<td class="orangeBackground" >
<a class="home" href="index.asp">home<br>
<img src="img/logo_orangebkg.jpg" alt="houstonMod"></a></td>
<td align="right" class="imgBackground" >
</td>
</tr>
</table>
<table class="maintable">
<tr>
<td><img src="img/spacer.gif" width="140" height="5"></td>
<td align="right"><ul id="qm0" class="qmmc">
<li><a class="qmparent" href="javascript:void(0)">About</a>
<ul>
<li><a href="mission.asp">Mission</a></li>
<li><a href="javascript:void(0)">History</a></li>
<li><a href="modsquad.asp">MOD Squad</a></li>
<li><a href="mastermods.asp">Master Mods</a></li>
<li><a href="contact.asp">Contact</a></li>
</ul></li>
<li><a class="qmparent" href="javascript:void(0)">Modern in Houston</a>
<ul>
<li><a href="javascript:void(0)">By Architect</a></li>
<li><a href="javascript:void(0)">By Neighborhood</a></li>
<li><a href="buildings.asp?by=quad">By Quadrant</a></li>
<li><a href="javascript:void(0)">By Building Type</a></li>
<li><a href="javascript:void(0)">By Date</a></li>
<li><a href="onamap1.asp">On a Map</a></li>
<li><a href="javascript:void(0)">Lost Modern</a></li>
<li><a href="javascript:void(0)">Endangered</a></li>
<li><a href="javascript:void(0)">Properties for Sale</a></li>
</ul></li>
<li><a class="qmparent" href="javascript:void(0)">Events</a>
<ul>
<li><a href="current_events.asp">Current Events</a></li>
<li><a href="past_events.asp">Past Events</a></li>
</ul></li>
<li><a class="qmparent" href="javascript:void(0)">Resources</a>
<ul>
<li><a class="qmparent" href="javascript:void(0)">Publications</a>
<ul>
<li><a href="publications.asp">Houston MOD</a></li>
<li><a href="recommended.asp">Recommended</a></li>
</ul></li>
<li><a class="qmparent" href="javascript:void(0)">News Releases</a>
<ul>
<li><a href="news.asp">Current</a></li>
<li><a href="news_archive.asp">Archive</a></li>
</ul></li>
<li><a href="press.asp">In the Press</a></li>
<li><a href="links.asp">Links</a></li>
</ul></li>
<li><a class="qmparent" href="javascript:void(0);">Support</a>
<ul>
<li><a href="sponsors.asp">Sponsors</a></li>
<li><a href="patrons.asp">Patrons</a></li>
<li><a class="qmparent" href="join.asp">Join</a>
<ul>
<li><a href="benefits.asp">Benefits</a></li>
</ul></li>
<li><a href="volunteer.asp">Volunteer</a></li>
<li><a href="subscribe.asp">Subscribe</a></li>
</ul></li>
<li class="qmclear"> </li></ul>
<!-- Create Menu Settings: (Menu ID, Is Vertical, Show Timer, Hide Timer, On Click, Right to Left, Horizontal Subs, Flush Left) -->
<script type="text/javascript">qm_create(0,false,0,500,false,false,false,false);</script></td>
</tr>
<tr>
<td colspan="2" class="biggrey">Contact Information</td>
</tr>
</table>
<div class="mainarea">
<table class="maintable">
<tr>
<td>Mailing Address:</td>
<td>P. O. Box 541353<br>
Houston, TX 77254-1353</td>
</tr>
<tr>
<td>e-mail Address:</td>
<td><a href="mailto:info@houstonmod.org">info@houstonmod.org</a></td>
</tr>
<tr>
<td colspan="2"><img src="img/spacer.gif" width="50" height="20"></td>
</tr>
<tr>
<td colspan="2">For more information, please complete the following form and a representative of HoustonMOD will contact you.</td>
</tr>
<tr>
<td colspan="2"><img src="img/spacer.gif" width="50" height="20"></td>
</tr>
<form method="post" action="procform2.asp" name="cf" onSubmit="return chk_form();">
<tr>
<td align="right">Name: </td>
<td><input type="text" name="cname" class="pt8" size="30" value="<%= Request.QueryString("cname") %>"></td>
</tr>
<tr>
<td align="right">Address: </td>
<td><input type="text" name="addr" class="pt8" size="30" value="<%= Request.QueryString("addr") %>"></td>
</tr>
<tr>
<td align="right">City, State, ZIP: </td>
<td><input type="text" name="city" class="pt8" size="20" value="<%= Request.QueryString("city") %>">, <input type="text" name="state" class="pt8" size="2" <% if Request.QueryString("state") = "" then %>value="TX"<% else %>value="<%= Request.QueryString("state") %>"<% end if %>> <input type="text" name="zip" class="pt8" size="4" value="<%= Request.QueryString("zip") %>"></td>
</tr>
<tr>
<td align="right">Phone: </td>
<td><input type="text" name="phone" class="pt8" size="10" value="<%= Request.QueryString("phone") %>"></td>
</tr>
<tr>
<td align="right">email: </td>
<td><input type="text" name="email" class="pt8" size="40" value="<%= Request.QueryString("email") %>"></td>
</tr>
<tr>
<td align="right">Comment or Question: </td>
<td><textarea name="mbody" class="pt8" cols="30" rows="5"><%= Request.QueryString("mbody") %></textarea></td>
</tr>
<tr>
<td colspan="2"><img src="img/spacer.gif" width="50" height="5"></td>
</tr>
<tr>
<td align="right">Form validation: </td>
<td><%=recaptcha_challenge_writer(recaptcha_public_key)%></td>
</tr>
<tr>
<td colspan="2"><img src="img/spacer.gif" width="50" height="20"></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="submit" value="Submit" class="pt8"></td>
</tr>
</form>
</table>
<!--#include file="reCaptcha.asp"-->
<br>
</div>
</div>
</body>
</html>
File Recaptcha.asp
<%
' The code below supplied by Mark Short
' returns string the can be written where you would like the reCAPTCHA challenged placed on your page
function recaptcha_challenge_writer(publickey)
recaptcha_challenge_writer = "<script type=""text/javascript"">" & _
"var RecaptchaOptions = {" & _
" theme : 'white'," & _
" tabindex : 0" & _
"};" & _
"</script>" & _
"<script type=""text/javascript"" src=""http://api.recaptcha.net/challenge?k=" & publickey & """></script>" & _
"<noscript>" & _
"<iframe src=""http://api.recaptcha.net/noscript?k=" & publickey & """ frameborder=""1""></iframe><br>" & _
"<textarea name=""recaptcha_challenge_field"" rows=""3"" cols=""40""></textarea>" & _
"<input type=""hidden"" name=""recaptcha_response_field"" value=""manual_challenge"">" & _
"</noscript>"
end function
function recaptcha_confirm(privkey,rechallenge,reresponse)
' Test the captcha field
Dim VarString
VarString = _
"privatekey=" & privkey & _
"&remoteip=" & Request.ServerVariables("REMOTE_ADDR") & _
"&challenge=" & rechallenge & _
"&response=" & reresponse
Dim objXmlHttp
Set objXmlHttp = Server.CreateObject("Msxml2.ServerXMLHTTP")
objXmlHttp.open "POST", "http://api-verify.recaptcha.net/verify", False
objXmlHttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objXmlHttp.send VarString
Dim ResponseString
ResponseString = split(objXmlHttp.responseText, vblf)
Set objXmlHttp = Nothing
if ResponseString(0) = "true" then
' They answered correctly
recaptcha_confirm = ""
else
' They answered incorrectly
recaptcha_confirm = ResponseString(1)
end if
end function
%>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you created a random value, stored it as a session, and had the form post it to your processing page, which checks the value from the form matches the session it should keep out most attempts as a hacker would have to go a retrieve a new value everytime making it a slow process.
A better option would be to use a better captcha solution that can be run on the processing page, one example is http://www.webwizguide.com/webwizcaptcha/ and best of all its free!
A better option would be to use a better captcha solution that can be run on the processing page, one example is http://www.webwizguide.com/webwizcaptcha/ and best of all its free!
ASKER
That's a VERY good point. I'm not sure how I can do that, but that's DEFINITELY worth considering.
I'm thinking of storing something in a Session variable at the beginning of the Contact form, then check to see if it's there in procform2.asp. If not, reject it.
Think that would work?