Re: Script Based Attacks & Form Hacks

[Christopher J Varenhorst <varenc () MIT EDU>]

To protect myself,

First, don't use javascript or anything client side for anything other than an
aid to the user.  If fields have a maximum length, have the application
"recheck".  If certain fields are required, don't rely on the client side
scripting to ensure that they've been filled out, recheck again.  Don't ever
pass sensitive information through hidden form elements, use session keys and 
store the information server side, just imagine the hidden form elements as a
visible textbox.  In short, don't expect the user will ever be limited by
anything client side.  That is one of the most common mistakes web app coders
can make.  Luckily, these types of flaws rarely result in much damage (although
there are dangerous exceptions)

As far as automated attacks go, HTTP is too slow for bruteforce password attacks
to be effective.  Automated form posting will fill server databases with
garbage, but I think its unlikely to bring the server to a standstill. (maybe
I'm wrong?) A straight out DOS attack would be more effective at that.  Some
http servers will even automatically block automated attacks like this.

Hope this helps,
Chris

Quoting Chad Maniccia <wopazar () gmail com>:

> Hi List,
>
> One thing I have not heard any one discuss is the use of automated
> scripts and form hacking. I could easily write a Java program to
> attack any ASP,JSP,PHP etc.. simply by viewing the page source to find
> the parameters the form processor will be looking for. You could use
> this to fill up some ones database with garbage bring the server to a
> standstill or worse yet bypass all the fancy javascript you had on the
> calling page. Some web applications actually use javascript to
> calcualte currency transactions.
>
> What ideas do you guys have to protect yourself from these?
>
>
> Thanks,
> Chad