Jump to content

Archived

This topic is now archived and is closed to further replies.

insrtsnhere13

Just thought of something, security issue

Recommended Posts

Hey guys, I just thought of any idea for form security, I dont think it could be nearly as good as a CAPTCHA image but its pretty good for basic protection from automatic form fillers.

Couldnt it be possible to have an extra form field, which instructs the user to enter a number between a random set of numbers that are within a certain range of each other..

ie.. two random numbers are selected within say.. 13 numbers of each other. 26 and 39

the form instructs users to enter a number between 26 - 39. When the user enters the number, it is compared with the two and if it is found to be between the two numbers, the form is verified and the information is allowed to be sent, if not, it is rejected and is sent back with another set of random numbers..

obviously the hole in this is that a person could just keep entering random numbers until they get it right.. which is where bigger numbers come in.

i understand it might be a little less convienient then a CAPTCHA but its seems a lot simpler to code

let me know what you think

Share this post


Link to post
Share on other sites
Well, [a href=\"http://shiflett.org/\" target=\"_blank\"]Chris Shiflet[/a] who specialises in php security has a basic spam prevention technique where he just asks to write his name in an input box.

Your idea is kind of the same thing.

Share this post


Link to post
Share on other sites
Yea, I mean, it really is a check and guess thing, but as long as the value remains the same, its a little easier to break, in my case, the number values always change.. there for inputting random numbers would yield far less results

Share this post


Link to post
Share on other sites
***************************************************************************************

I thort i have my say on this, As i worked for 6 months on the solution to solve spamming on my website throw forms.

From know onwards my guidelines are that all users have to be a registered user to send any information via a form.

If the user is a registered user then at the bottom of the form the user has to enter there user password to send any data from any form.

I dont let anyone sign up for free anymore as it encourage spamming problams with forms so that a nono for me.

Also when a user wants to signup for my website services i use a paypal ipn program and the user gets a generated random number when that number is entered then they can fill in there details afther payment.

I am always to be sure to be sure that a user is who they say they are before signing up or sending any information.

**************************************************************************************

When it comes to designing a free website for free users, I always use the CAPTCHA image code for the sign up page and then use my password method.

CAPTCHA image code is more then a random number and has more securty then using only a random number aginst the database in my option depending on what code you got.

But i think your idear is on the same tracks as a CAPTCHA code but i would also add more to it to check other critira.

Good luck.








Share this post


Link to post
Share on other sites
[quote]
the form instructs users to enter a number between 26 - 39. When the user enters the number, it is compared with the two and if it is found to be between the two numbers, the form is verified and the information is allowed to be sent, if not, it is rejected and is sent back with another set of random numbers..
[/quote]
Unfortunately after manually visiting your page to figure out the rules, it shouldn't be too difficult to spam it. There's nothing stopping someone from using their spamming tool to go through the page and automatically look at the numbers to generate a valid result.

The reason why the CAPTCHAs using images are useful is the fact that it's difficult to write a program that can recognize the characters (numbers, letters etc) that are distorted in the picture.

[a href=\"http://en.wikipedia.org/wiki/Captcha\" target=\"_blank\"]http://en.wikipedia.org/wiki/Captcha[/a]

Share this post


Link to post
Share on other sites
[!--quoteo(post=375434:date=May 19 2006, 10:08 PM:name=shoz)--][div class=\'quotetop\']QUOTE(shoz @ May 19 2006, 10:08 PM) [snapback]375434[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Unfortunately after manually visiting your page to figure out the rules, it shouldn't be too difficult to spam it. There's nothing stopping someone from using their spamming tool to go through the page and automatically look at the numbers to generate a valid result.

The reason why the CAPTCHAs using images are useful is the fact that it's difficult to write a program that can recognize the characters (numbers, letters etc) that are distorted in the picture.

[a href=\"http://en.wikipedia.org/wiki/Captcha\" target=\"_blank\"]http://en.wikipedia.org/wiki/Captcha[/a]
[/quote]

Have to agree with this one. I also recently saw an article about using a 3x3 matrix (9 images), 3 of which were kittens and the rest weren't. The user had to click the 3 kittens before it would let them submit the form. Here's the link if you want to read it over -

[a href=\"http://www.thepcspy.com/articles/security/the_cutest_humantest_kittenauth\" target=\"_blank\"]http://www.thepcspy.com/articles/security/...test_kittenauth[/a]

Share this post


Link to post
Share on other sites
yea, i knew this wasnt as good as a captcha code but i think that for a minimum threat level site, this would be more then enough to prevent someone from costantly spamming, or stop a simple program

Share this post


Link to post
Share on other sites
went through this morning and wrote some code..
heres what I came up with, I think it works pretty good!!

[code]
<?php
if(!isset($_POST[submit])) {

$number = rand(0, 1000);
$number2 = $number + 13;
echo "Please enter a number greater than ".$number." and less than ".$number2;
?>
<form method="POST" action="<?php $_SERVER["PHP_SELF"] ?>"
<input type="text" name="usernumber" size="10">
<input type="hidden" name="number" value="<?php echo "$number"; ?>"
<input type="hidden" name="number2" value="<?php echo "$number2"; ?>"
<input type="submit" name="submit" value="Submit">
</form>
<?php
}else{
  $usernumber = $_POST['usernumber'];
  $number = $_POST['number'];
  $number2 = $_POST['number2'];
  
  if ($usernumber > $number && $usernumber < $number2) {
    echo "Correct!! $usernumber is inbetween $number and $number2";
}else { echo "Try again!!"; }
}
?>
[/code]

Share this post


Link to post
Share on other sites
[quote]
yea, i knew this wasnt as good as a captcha code but i think that for a minimum threat level site, this would be more then enough to prevent someone from costantly spamming, or stop a simple program
[/quote]
It wouldn't take a very complicated script to spam the site. The way you have it coded now means that the numbers are user submitted values. So, the tool can send whatever numbers it likes.

Keep in mind that I'm not trying to discourage you. It's a good thing to be thinking about ways to secure your site and you should continue doing so.

The "d" from the fread line has been removed to allow the post to the forum to go through.
[code]
<?php
$host = 'yoursite.com';
$path = '/path/to/script.php';
$content = 'usernumber=1&number=0&number2=2&submit=Submit';
$length = strlen($content);

$header = "POST $path HTTP/1.0\r\n"
        ."Host: $host\r\n"
        ."Content-Length: $length\r\n"
        ."Connection: close\r\n"
        ."\r\n"
        ."$content";
$fp = fsockopen($host, 80, $errno, $errstr, 15);
if(!$fp)
{
    print "couldn't connect<br />\n";
    exit;
}
if (FALSE === fwrite($fp, $header))
{
    print "couldn't write to socket<br />\n";
    exit;
}
$output = '';
while (!feof($fp) )
{
     //The "d" from the end of fread has been removed here
    $output .= frea($fp, 2048);
}
print $output;

?>
[/code]
EDIT: Btw, I do realize that you're saying that you're not trying to come up with a solution as effective as a CAPTHA but I think you're also saying that you don't want to come up with a solution thats very easy to break either.

Share this post


Link to post
Share on other sites
[!--quoteo(post=375493:date=May 20 2006, 09:34 AM:name=shoz)--][div class=\'quotetop\']QUOTE(shoz @ May 20 2006, 09:34 AM) [snapback]375493[/snapback][/div][div class=\'quotemain\'][!--quotec--]
It wouldn't take a very complicated script to spam the site. The way you have it coded now means that the numbers are user submitted values. So, the tool can send whatever numbers it likes.

Keep in mind that I'm not trying to discourage you. It's a good thing to be thinking about ways to secure your site and you should continue doing so.

The "d" from the fread line has been removed to allow the post to the forum to go through.
[code]
<?php
$host = 'yoursite.com';
$path = '/path/to/script.php';
$content = 'usernumber=1&number=0&number2=2&submit=Submit';
$length = strlen($content);

$header = "POST $path HTTP/1.0\r\n"
        ."Host: $host\r\n"
        ."Content-Length: $length\r\n"
        ."Connection: close\r\n"
        ."\r\n"
        ."$content";
$fp = fsockopen($host, 80, $errno, $errstr, 15);
if(!$fp)
{
    print "couldn't connect<br />\n";
    exit;
}
if (FALSE === fwrite($fp, $header))
{
    print "couldn't write to socket<br />\n";
    exit;
}
$output = '';
while (!feof($fp) )
{
     //The "d" from the end of fread has been removed here
    $output .= frea($fp, 2048);
}
print $output;

?>
[/code]
EDIT: Btw, I do realize that you're saying that you're not trying to come up with a solution as effective as a CAPTHA but I think you're also saying that you don't want to come up with a solution thats very easy to break either.
[/quote]

Uhhh.. im not wuite sure, but i dont think this has anything to do with my post.. other than the info at the top about not trying to discourage me, and in regards to the script being able to enter whatever number it wants, since the numbers are randomly generated, a random number generator wouldnt work.. unless the script was actually made for this specific code.. and yes, this is not a maximum security code, just a thought on security thats a little easier to understand than a captcha

Share this post


Link to post
Share on other sites
[quote]
[code]
$usernumber = $_POST['usernumber'];
$number = $_POST['number'];
$number2 = $_POST['number2'];
[/code]
[/quote]
All of the above are user submitted values. That means that someone can send any numbers they choose. The code posted is an example to demonstrate that.
[quote]
and in regards to the script being able to enter whatever number it wants, since the numbers are randomly generated, a random number generator wouldnt work.. unless the script was actually made for this specific code.
[/quote]
I don't quite follow the comment about being "made for this specific code", but no numbers are being randomly generated in the script I posted. The same numbers will be sent each time the script is run and with success because as mentioned previously, it's the user that determines what numbers are sent.
[quote]
this is not a maximum security code, just a thought on security thats a little easier to understand than a captcha
[/quote]
Only you can tell how difficult you want to make the process of spamming your site. From your posts however, I've gotten the impression that you think the code is more effective than it is. Which is why I've tried to show the problems with it.

The use of sessions should allow the idea as I think you see it, to be realized. Using sessions should allow you to truly control what the number range is.

EDIT: Clicking "Refresh/Reload" in your browser should also demonstrate the problem in another way.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.