del.icio.us Digg Reddit Fark MyWeb Furl Spurl BlogMarks

 

 

Web form vulnerabilities

Web forms can be a very useful tool of website administration, providing various forms of feedback from website visitors. Unfortunately, this technology is also open to abuse and is often used in different ways to send spam.

A web form can be used to send spam to website owners, which leads to unnecessary time wasted on filtering out such messages. When visitors are allowed to leave messages on a website, spam often appears on these web pages instead.

Forum or guestbook spam is the most frequent example of such a problem. A very problematic situation occurs when a web form is vulnerable to HTML injection and attackers, who fill form fields with specially formatted code, and send spam to any email address connected with the website name.

Spam bots

A large proportion of malicious interference with web forms – which takes place on thousands of websites daily – is automated. Special programs, also known as spam bots, crawl the web looking for web forms. Once detected, web forms are analyzed and used many times over for a number of improper activities.

The mailboxes of website administrators have become overwhelmed with spam originating from these web forms. In addition, forums have become flooded by spam topics and spam messages. In turn, these website domains are then placed on spam blacklists due to the volume of spam emails being received by users from the website.

This troublesome situation is especially sensitive for commercial sites, where loss of time and reputation inevitably means loss of money.

Web Form Anti-Spam

A powerful new utility, Web Form Anti-Spam has been designed to defend against the attackers and spam bots. The software acts to conceal one or several arbitrary sections of a web page, or even a whole page, to prevent it from being crawled and used in the future by spam bots.

The most effective feature of Web Form Anti-Spam is web form protection. Both simple and effective, the user only has to input web form HTML code into the Web Form Anti-Spam window and press the “Protect” button. The user can then transfer the obfuscated code and insert it in place of the unprotected version.

When a visitor receives a page containing a protected web form, the client side browser executes a JavaScript that successfully decodes the web form code and displays it to the visitor. However, spam bots do not execute Java scripts as it is quite a heavy computational task, especially in the age of Web 2.0 where many sites use scripts for a wide range of applications. Therefore, spam bots cannot operate as effectively by executing each script, compared with their usual method of analyzing web page contents provided by a web server.

HTML code obfuscator „Web Form Anti-Spam”


Free Trial Download: 2.83 MB, ver. 1.00.0.40, 19 May 2009.
(for Windows 2000, Windows XP and Windows Vista)

Web Form Anti-Spam is available for Windows 2000/2003, Windows XP and Windows Vista.
Demo version is free to download and use for evaluation purposes during 15 days.

FrontPage web forms are vulnerable for spam bots

FrontPage Server Extensions is a widely used web-mastering tool, which helps to implement a range of common tasks with no requirement for server programming. Although Microsoft declared the end of FrontPage Server Extensions in 2006, the technology is so effective that its popularity remains.

One of the tasks of FrontPage Server Extensions is web form processing, which involves a visitor’s data being typed into a web form, where it is saved and sent via email to the website administrator. Consequently, FrontPage web forms also suffer from spam bots.

However, there is a significant difference between HTML web form and FrontPage web form: the latter consists of special tags for the web server, where the FrontPage Server Extensions are installed. Before transmitting a web page with these tags to the browser, FrontPage Server Extensions processes the tags and generates a final HTML page (with HTML web form), as if designed by a programmer.

Protecting FrontPage web forms against spam bots

Due to the presence of these special tags in a FrontPage web form, this type of technology is more difficult to conceal using Web Form Anti-Spam. Decoding the FrontPage web form inside a browser will make it inoperable with these server tags. These tags are also required for the server to process form fields sent back by the visitor. This means that hiding a FrontPage web form from spam bots will also mean hiding it from FrontPage Server Extensions, which is an unacceptable situation.

Therefore, in order for Web Form Anti-Spam to protect a FrontPage web form from spam bots, while also ensuring it functions properly, it is necessary to have two copies of the web page with such a web form. The first unprotected web page should be placed on the server, but should only be accessible to the web server. The easiest way to hide it is to give it an unpredictable filename (eg h1gj_43hg.htm), with no hyperlinks pointing to the web page.

When naming the web page, it is important to use Web Form Anti-Spam protection markers (<!-- WEBFORMANTISPAM BEGIN --> and <!-- WEBFORMANTISPAM END -->), before and after <form>...</form> tags. This will inform Web Form Anti-Spam which sections of the web page need to be protected.

After uploading the file to the server, it is then necessary to navigate to its address using Web Form Anti-Spam. The software will load the final HTML code of the page (ie after processing a web form with FrontPage Server Extensions). By clicking the “Protect” button on Web Form Anti-Spam, obfuscation will be applied to the HTML code contained within the protection markers. The protected page file should then be saved using the desired name of the web form page (eg contact.htm), and uploaded to the server.

This simple but clever procedure is all that is required to have FrontPage web form protected against spam bots. Once a visitor fills and sends the completed form to the server, it will be directed to the secret, unprotected copy of the page. FrontPage Server Extensions will then be able to correctly process the important data. Meanwhile, website visitors (and spam bots) will always receive a protected copy of the web page, as it was rendered by FrontPage Server Extensions and only then protected with Web Form Anti-Spam.

Protect other web forms server-side extensions

The same technique of web form protection with Web Form Anti-Spam can also be used for other server-side extensions, like ColdFusion. The main principle is to keep an unprotected copy on the server, leaving it available to server extensions, while giving the visitors a protected copy of the final HTML page rendered by those server extensions.

Stopping spam bots saves money

This simple approach combines the design and development simplicity of FrontPage web forms with the efficiency of Web Form Anti-Spam’s protection against spam bots. This technology is not visible to visitors, as they will have no need to recognize CAPTCHA-like anti-spam countermeasures.

The software therefore provides a win-win situation for web administrator and visitor alike, ensuring a positive image, and saving time and money. There is only one loser in the deal – the spam bot!

18 July 2008
Xander Zerge
del.icio.us Digg Reddit Fark MyWeb Furl Spurl BlogMarks

FrontPage is a registered trademark of Microsoft Corporation in the United States and other countries.