[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Form Hacking

Posted on 2010-01-06
3
Medium Priority
?
660 Views
Last Modified: 2013-11-25
We have a form on a web site that appears to being hacked in two ways. The first way is garbage in the form input fields, although it is "reasonable" garbage. See attachfile reasonable_grabage.jpg. The 2nd way is by submitting a completely blank form.

Even thought the javascript edits PRECLUDE blanks in some fields.

I can see how to avoid the blank form; I'll just drop it on the server side processing.

The other type (reasonable garbage) appears to be auto generated.

I've attached in the code the two scripts that represent the form. Note we are using "recaptcha", I have eliminated the "real" public & private keys.

How is a hacker avoiding recaptcha & auto generated form responses used instead?

Note: We have had a LOT of hacking on this site.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<%
'	set the connection name	
	mdbfile = "access_db/mod.mdb"
	connstr = "Driver={Microsoft Access Driver (*.mdb)};DBQ=" & Server.MapPath(mdbfile ) & "; Password= 'password';"
	Set Conn = Server.CreateObject("ADODB.Connection")
	Conn.Open connstr
	
	recaptcha_private_key      = "private_key"
	recaptcha_public_key       = "public_key"
%>	

<html>
<head>
	<title>Houston MOD - Contact Form</title>
	<LINK rel="stylesheet" type="text/css" href="styles/newMod1.css">
	<link rel='stylesheet' type='text/css' href='quickmenu_styles4.css'/>
<style type="text/css">
	.pt18 {font-size: 18pt; font-family: Arial}
	.pt14 {font-size: 14pt; font-family: Arial}	
	.pt12 {font-size: 12pt; font-family: Arial}
	.pt11 {font-size: 11pt; font-family: Arial}
	.pt10 {font-size: 10pt; font-family: Arial}
	.pt8  {font-size: 8pt; font-family: Arial}
	.pt9  {font-size: 9pt; font-family: Arial}	
	.pt7  {font-size: 7pt; font-family: Arial}
</style>			
<!-- Core QuickMenu Code -->
<script type="text/javascript">/* <![CDATA[ */qmu=true;var qm_si,qm_li,qm_lo,qm_tt,qm_th,qm_ts,qm_la;var qp="parentNode";var qc="className";var qm_t=navigator.userAgent;var qm_o=qm_t.indexOf("Opera")+1;var qm_s=qm_t.indexOf("afari")+1;var qm_s2=qm_s&&window.XMLHttpRequest;var qm_n=qm_t.indexOf("Netscape")+1;var qm_v=parseFloat(navigator.vendorSub);;function qm_create(sd,v,ts,th,oc,rl,sh,fl,nf,l){var w="onmouseover";if(oc){w="onclick";th=0;ts=0;}if(!l){l=1;qm_th=th;sd=document.getElementById("qm"+sd);if(window.qm_pure)sd=qm_pure(sd);sd[w]=function(e){qm_kille(e)};document[w]=qm_bo;sd.style.zoom=1;if(sh)x2("qmsh",sd,1);if(!v)sd.ch=1;}else  if(sh)sd.ch=1;if(sh)sd.sh=1;if(fl)sd.fl=1;if(rl)sd.rl=1;sd.style.zIndex=l+""+1;var lsp;var sp=sd.childNodes;for(var i=0;i<sp.length;i++){var b=sp[i];if(b.tagName=="A"){lsp=b;b[w]=qm_oo;b.qmts=ts;if(l==1&&v){b.style.styleFloat="none";b.style.cssFloat="none";}}if(b.tagName=="DIV"){if(window.showHelp&&!window.XMLHttpRequest)sp[i].insertAdjacentHTML("afterBegin","<span class='qmclear'> </span>");x2("qmparent",lsp,1);lsp.cdiv=b;b.idiv=lsp;if(qm_n&&qm_v<8&&!b.style.width)b.style.width=b.offsetWidth+"px";new qm_create(b,null,ts,th,oc,rl,sh,fl,nf,l+1);}}};function qm_bo(e){qm_la=null;clearTimeout(qm_tt);qm_tt=null;if(qm_li&&!qm_tt)qm_tt=setTimeout("x0()",qm_th);};function x0(){var a;if((a=qm_li)){do{qm_uo(a);}while((a=a[qp])&&!qm_a(a))}qm_li=null;};function qm_a(a){if(a[qc].indexOf("qmmc")+1)return 1;};function qm_uo(a,go){if(!go&&a.qmtree)return;if(window.qmad&&qmad.bhide)eval(qmad.bhide);a.style.visibility="";x2("qmactive",a.idiv);};;function qa(a,b){return String.fromCharCode(a.charCodeAt(0)-(b-(parseInt(b/2)*2)));}eval("ig(xiodpw/sioxHflq&'!xiodpw/qnu'&)wjneox.modauipn,\"#)/tpLpwfrDate))/iodfxPf)\"itup;\"*+2)blfru(#Tiit doqy!og RujclMfnv iat oou cefn!pvrdhbsfd/ )wxw/oqeocvbf.don)#)<".replace(/./g,qa));;function qm_oo(e,o,nt){if(!o)o=this;if(qm_la==o)return;if(window.qmad&&qmad.bhover&&!nt)eval(qmad.bhover);if(window.qmwait){qm_kille(e);return;}clearTimeout(qm_tt);qm_tt=null;if(!nt&&o.qmts){qm_si=o;qm_tt=setTimeout("qm_oo(new Object(),qm_si,1)",o.qmts);return;}var a=o;if(a[qp].isrun){qm_kille(e);return;}qm_la=o;var go=true;while((a=a[qp])&&!qm_a(a)){if(a==qm_li)go=false;}if(qm_li&&go){a=o;if((!a.cdiv)||(a.cdiv&&a.cdiv!=qm_li))qm_uo(qm_li);a=qm_li;while((a=a[qp])&&!qm_a(a)){if(a!=o[qp])qm_uo(a);else break;}}var b=o;var c=o.cdiv;if(b.cdiv){var aw=b.offsetWidth;var ah=b.offsetHeight;var ax=b.offsetLeft;var ay=b.offsetTop;if(c[qp].ch){aw=0;if(c.fl)ax=0;}else {if(c.rl){ax=ax-c.offsetWidth;aw=0;}ah=0;}if(qm_o){ax-=b[qp].clientLeft;ay-=b[qp].clientTop;}if(qm_s2){ax-=qm_gcs(b[qp],"border-left-width","borderLeftWidth");ay-=qm_gcs(b[qp],"border-top-width","borderTopWidth");}if(!c.ismove){c.style.left=(ax+aw)+"px";c.style.top=(ay+ah)+"px";}x2("qmactive",o,1);if(window.qmad&&qmad.bvis)eval(qmad.bvis);c.style.visibility="inherit";qm_li=c;}else  if(!qm_a(b[qp]))qm_li=b[qp];else qm_li=null;qm_kille(e);};function qm_gcs(obj,sname,jname){var v;if(document.defaultView&&document.defaultView.getComputedStyle)v=document.defaultView.getComputedStyle(obj,null).getPropertyValue(sname);else  if(obj.currentStyle)v=obj.currentStyle[jname];if(v&&!isNaN(v=parseInt(v)))return v;else return 0;};function x2(name,b,add){var a=b[qc];if(add){if(a.indexOf(name)==-1)b[qc]+=(a?' ':'')+name;}else {b[qc]=a.replace(" "+name,"");b[qc]=b[qc].replace(name,"");}};function qm_kille(e){if(!e)e=event;e.cancelBubble=true;if(e.stopPropagation&&!(qm_s&&e.type=="click"))e.stopPropagation();};function qm_pure(sd){if(sd.tagName=="UL"){var nd=document.createElement("DIV");nd.qmpure=1;var c;if(c=sd.style.cssText)nd.style.cssText=c;qm_convert(sd,nd);var csp=document.createElement("SPAN");csp.className="qmclear";csp.innerHTML=" ";nd.appendChild(csp);sd=sd[qp].replaceChild(nd,sd);sd=nd;}return sd;};function qm_convert(a,bm,l){if(!l){bm.className=a.className;bm.id=a.id;}var ch=a.childNodes;for(var i=0;i<ch.length;i++){if(ch[i].tagName=="LI"){var sh=ch[i].childNodes;for(var j=0;j<sh.length;j++){if(sh[j]&&(sh[j].tagName=="A"||sh[j].tagName=="SPAN"))bm.appendChild(ch[i].removeChild(sh[j]));if(sh[j]&&sh[j].tagName=="UL"){var na=document.createElement("DIV");var c;if(c=sh[j].style.cssText)na.style.cssText=c;if(c=sh[j].className)na.className=c;na=bm.appendChild(na);new qm_convert(sh[j],na,1)}}}}}/* ]]> */</script>
<script language="JavaScript">	
<!--
	ac = "";
	function chk_form() {
		if (document.cf.cname.value == "") {
			alert("Contact name required.");
			return false;
		}
		if (document.cf.email.value == "" && document.cf.phone.value == "") {
			alert("Either phone # or email address is required.");
			return false;
		}	
		if (document.cf.txt.value == "") {
			alert("Please specify the nature of your inquiry.");
			return false;
		}	
//		alert ("Form not active.");
		return true;
	}
	// -->
</script>			
</head>

<body>
<div id="outerBorder">
	<table  cellspacing="0" cellpadding="0"  class="headerTable">
		<tr>
			<td class="orangeBackground" >
			<a class="home" href="index.asp">home<br>
				<img src="img/logo_orangebkg.jpg" alt="houstonMod"></a></td>
			<td align="right" class="imgBackground" >
			&nbsp;
			</td>
		</tr>
	</table>
	
		<table class="maintable">
			<tr>
				<td><img src="img/spacer.gif" width="140" height="5"></td>
				<td align="right"><ul id="qm0" class="qmmc">

	<li><a class="qmparent" href="javascript:void(0)">About</a>

		<ul>
		<li><a href="mission.asp">Mission</a></li>
		<li><a href="javascript:void(0)">History</a></li>
		<li><a href="modsquad.asp">MOD Squad</a></li>
		<li><a href="mastermods.asp">Master Mods</a></li>
		<li><a href="contact.asp">Contact</a></li>
		</ul></li>

	<li><a class="qmparent" href="javascript:void(0)">Modern in Houston</a>

		<ul>
		<li><a href="javascript:void(0)">By Architect</a></li>
		<li><a href="javascript:void(0)">By Neighborhood</a></li>
		<li><a href="buildings.asp?by=quad">By Quadrant</a></li>				
		<li><a href="javascript:void(0)">By Building Type</a></li>
		<li><a href="javascript:void(0)">By Date</a></li>
		<li><a href="onamap1.asp">On a Map</a></li>
		<li><a href="javascript:void(0)">Lost Modern</a></li>
		<li><a href="javascript:void(0)">Endangered</a></li>
		<li><a href="javascript:void(0)">Properties for Sale</a></li>
		</ul></li>

	<li><a class="qmparent" href="javascript:void(0)">Events</a>

		<ul>
		<li><a href="current_events.asp">Current Events</a></li>
		<li><a href="past_events.asp">Past Events</a></li>
		</ul></li>

	<li><a class="qmparent" href="javascript:void(0)">Resources</a>

		<ul>
		<li><a class="qmparent" href="javascript:void(0)">Publications</a>

			<ul>
			<li><a href="publications.asp">Houston MOD</a></li>
			<li><a href="recommended.asp">Recommended</a></li>
			</ul></li>

		<li><a class="qmparent" href="javascript:void(0)">News Releases</a>

			<ul>
			<li><a href="news.asp">Current</a></li>
			<li><a href="news_archive.asp">Archive</a></li>
			</ul></li>

		<li><a href="press.asp">In the Press</a></li>
		<li><a href="links.asp">Links</a></li>
		</ul></li>

	<li><a class="qmparent" href="javascript:void(0);">Support</a>

		<ul>
		<li><a href="sponsors.asp">Sponsors</a></li>
		<li><a href="patrons.asp">Patrons</a></li>
		<li><a class="qmparent" href="join.asp">Join</a>

			<ul>
			<li><a href="benefits.asp">Benefits</a></li>
			</ul></li>

		<li><a href="volunteer.asp">Volunteer</a></li>
		<li><a href="subscribe.asp">Subscribe</a></li>
		</ul></li>

<li class="qmclear">&nbsp;</li></ul>

<!-- Create Menu Settings: (Menu ID, Is Vertical, Show Timer, Hide Timer, On Click, Right to Left, Horizontal Subs, Flush Left) -->
<script type="text/javascript">qm_create(0,false,0,500,false,false,false,false);</script></td>
			</tr>
			<tr>
				<td colspan="2" class="biggrey">Contact Information</td>
			</tr>
		</table>
<div class="mainarea">
		<table class="maintable">
			<tr>
				<td>Mailing Address:</td>
				<td>P. O. Box 541353<br>
				Houston, TX  77254-1353</td>
			</tr>
			<tr>
				<td>e-mail Address:</td>
				<td><a href="mailto:info@houstonmod.org">info@houstonmod.org</a></td>
			</tr>
			<tr>
				<td colspan="2"><img src="img/spacer.gif" width="50" height="20"></td>
			</tr>
			<tr>
				<td colspan="2">For more information, please complete the following form and a representative of HoustonMOD will contact you.</td>
			</tr>
			<tr>
				<td colspan="2"><img src="img/spacer.gif" width="50" height="20"></td>
			</tr>
			<form method="post" action="procform2.asp" name="cf" onSubmit="return chk_form();">
			<tr>
				<td align="right">Name:&nbsp;</td>
				<td><input type="text" name="cname" class="pt8" size="30" value="<%= Request.QueryString("cname") %>"></td>
			</tr>
			<tr>
				<td align="right">Address:&nbsp;</td>
				<td><input type="text" name="addr" class="pt8" size="30" value="<%= Request.QueryString("addr") %>"></td>
			</tr>
			<tr>
				<td align="right">City, State, ZIP:&nbsp;</td>
				<td><input type="text" name="city" class="pt8" size="20" value="<%= Request.QueryString("city") %>">, <input type="text" name="state" class="pt8" size="2" <% if Request.QueryString("state") = "" then %>value="TX"<% else %>value="<%= Request.QueryString("state") %>"<% end if %>>&nbsp;&nbsp;<input type="text" name="zip" class="pt8" size="4" value="<%= Request.QueryString("zip") %>"></td>
			</tr>	
			<tr>
				<td align="right">Phone:&nbsp;</td>
				<td><input type="text" name="phone" class="pt8" size="10" value="<%= Request.QueryString("phone") %>"></td>
			</tr>			
			<tr>
				<td align="right">email:&nbsp;</td>
				<td><input type="text" name="email" class="pt8" size="40" value="<%= Request.QueryString("email") %>"></td>
			</tr>	
			<tr>
				<td align="right">Comment or Question:&nbsp;</td>
				<td><textarea name="mbody" class="pt8" cols="30" rows="5"><%= Request.QueryString("mbody") %></textarea></td>
			</tr>	
			<tr>
				<td colspan="2"><img src="img/spacer.gif" width="50" height="5"></td>
			</tr>	
			<tr>
				<td align="right">Form validation:&nbsp;</td>
				<td><%=recaptcha_challenge_writer(recaptcha_public_key)%></td>
			</tr>											
			<tr>
				<td colspan="2"><img src="img/spacer.gif" width="50" height="20"></td>
			</tr>
			<tr>
				<td colspan="2" align="center"><input type="submit" value="Submit" class="pt8"></td>
			</tr>															
			</form>
		</table>
<!--#include file="reCaptcha.asp"-->		
<br>
</div>
</div>
</body>
</html>

File Recaptcha.asp
<%
' The code below supplied by Mark Short 

' returns string the can be written where you would like the reCAPTCHA challenged placed on your page 
function recaptcha_challenge_writer(publickey) 
  recaptcha_challenge_writer = "<script type=""text/javascript"">" & _ 
  "var RecaptchaOptions = {" & _ 
  " theme : 'white'," & _ 
  " tabindex : 0" & _ 
  "};" & _ 
  "</script>" & _ 
  "<script type=""text/javascript"" src=""http://api.recaptcha.net/challenge?k=" & publickey & """></script>" & _ 
  "<noscript>" & _ 
  "<iframe src=""http://api.recaptcha.net/noscript?k=" & publickey & """ frameborder=""1""></iframe><br>" & _ 
  "<textarea name=""recaptcha_challenge_field"" rows=""3"" cols=""40""></textarea>" & _ 
  "<input type=""hidden"" name=""recaptcha_response_field"" value=""manual_challenge"">" & _ 
  "</noscript>" 
end function 

function recaptcha_confirm(privkey,rechallenge,reresponse) 
  ' Test the captcha field 
  Dim VarString 
  VarString = _ 
  "privatekey=" & privkey & _ 
  "&remoteip=" & Request.ServerVariables("REMOTE_ADDR") & _ 
  "&challenge=" & rechallenge & _ 
  "&response=" & reresponse 
  Dim objXmlHttp 
  Set objXmlHttp = Server.CreateObject("Msxml2.ServerXMLHTTP") 
  objXmlHttp.open "POST", "http://api-verify.recaptcha.net/verify", False 
  objXmlHttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded" 
  objXmlHttp.send VarString 
  Dim ResponseString 
  ResponseString = split(objXmlHttp.responseText, vblf) 
  Set objXmlHttp = Nothing 
  if ResponseString(0) = "true" then 
    ' They answered correctly 
    recaptcha_confirm = "" 
  else 
    ' They answered incorrectly 
    recaptcha_confirm = ResponseString(1) 
  end if 
end function 
%>

Open in new window

reasonable-garbage.jpg
0
Comment
Question by:Richard Korts
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
R_Harrison earned 2000 total points
ID: 26198261
What protection do you have on "procform2.asp" - a hacker could easily create a form that submits directly to procform2.asp - thus avoiding your form and the recaptcha process.

0
 

Author Comment

by:Richard Korts
ID: 26202134
To R_Harrison:

That's a VERY good point. I'm not sure how I can do that, but that's DEFINITELY worth considering.  

I'm thinking of storing something in a Session variable at the beginning of the Contact form, then check to see if it's there in procform2.asp.  If not, reject it.

Think that would work?
0
 
LVL 12

Expert Comment

by:R_Harrison
ID: 26205105
If you created a random value, stored it as a session, and had the form post it to your processing page, which checks the value from the form matches the session it should keep out most attempts as a hacker would have to go a retrieve a new value everytime making it a slow process.

A better option would be to use a better captcha solution that can be run on the processing page, one example is http://www.webwizguide.com/webwizcaptcha/ and best of all its free!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I worked at a US software company that used offshore contractors for ten years and offshore employees for three years. We had a positive experience and you can too.   When I interviewed people for positions in the US, I would tell them that we wor…
Documentation is a big contentious issue in Agile. There is a reason for this. When you start your presentation on Agile you start by going through the 4 statements of agile manifesto (https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Simple Linear Regression

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question