Jump to content


Photo

Just thought of something, security issue


  • Please log in to reply
10 replies to this topic

#1 insrtsnhere13

insrtsnhere13
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 20 May 2006 - 02:10 AM

Hey guys, I just thought of any idea for form security, I dont think it could be nearly as good as a CAPTCHA image but its pretty good for basic protection from automatic form fillers.

Couldnt it be possible to have an extra form field, which instructs the user to enter a number between a random set of numbers that are within a certain range of each other..

ie.. two random numbers are selected within say.. 13 numbers of each other. 26 and 39

the form instructs users to enter a number between 26 - 39. When the user enters the number, it is compared with the two and if it is found to be between the two numbers, the form is verified and the information is allowed to be sent, if not, it is rejected and is sent back with another set of random numbers..

obviously the hole in this is that a person could just keep entering random numbers until they get it right.. which is where bigger numbers come in.

i understand it might be a little less convienient then a CAPTCHA but its seems a lot simpler to code

let me know what you think

#2 yonta

yonta
  • Members
  • PipPipPip
  • Advanced Member
  • 70 posts

Posted 20 May 2006 - 02:35 AM

Well, [a href=\"http://shiflett.org/\" target=\"_blank\"]Chris Shiflet[/a] who specialises in php security has a basic spam prevention technique where he just asks to write his name in an input box.

Your idea is kind of the same thing.

do it, do it right, do it right now

#3 insrtsnhere13

insrtsnhere13
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 20 May 2006 - 02:42 AM

Yea, I mean, it really is a check and guess thing, but as long as the value remains the same, its a little easier to break, in my case, the number values always change.. there for inputting random numbers would yield far less results

#4 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 20 May 2006 - 02:57 AM

***************************************************************************************

I thort i have my say on this, As i worked for 6 months on the solution to solve spamming on my website throw forms.

From know onwards my guidelines are that all users have to be a registered user to send any information via a form.

If the user is a registered user then at the bottom of the form the user has to enter there user password to send any data from any form.

I dont let anyone sign up for free anymore as it encourage spamming problams with forms so that a nono for me.

Also when a user wants to signup for my website services i use a paypal ipn program and the user gets a generated random number when that number is entered then they can fill in there details afther payment.

I am always to be sure to be sure that a user is who they say they are before signing up or sending any information.

**************************************************************************************

When it comes to designing a free website for free users, I always use the CAPTCHA image code for the sign up page and then use my password method.

CAPTCHA image code is more then a random number and has more securty then using only a random number aginst the database in my option depending on what code you got.

But i think your idear is on the same tracks as a CAPTCHA code but i would also add more to it to check other critira.

Good luck.









Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#5 shoz

shoz
  • Staff Alumni
  • Advanced Member
  • 600 posts

Posted 20 May 2006 - 03:08 AM

the form instructs users to enter a number between 26 - 39. When the user enters the number, it is compared with the two and if it is found to be between the two numbers, the form is verified and the information is allowed to be sent, if not, it is rejected and is sent back with another set of random numbers..

Unfortunately after manually visiting your page to figure out the rules, it shouldn't be too difficult to spam it. There's nothing stopping someone from using their spamming tool to go through the page and automatically look at the numbers to generate a valid result.

The reason why the CAPTCHAs using images are useful is the fact that it's difficult to write a program that can recognize the characters (numbers, letters etc) that are distorted in the picture.

[a href=\"http://en.wikipedia.org/wiki/Captcha\" target=\"_blank\"]http://en.wikipedia.org/wiki/Captcha[/a]

#6 dsk3801

dsk3801
  • New Members
  • Pip
  • Newbie
  • 9 posts
  • LocationDallas, TX USA

Posted 20 May 2006 - 04:55 AM

[!--quoteo(post=375434:date=May 19 2006, 10:08 PM:name=shoz)--][div class=\'quotetop\']QUOTE(shoz @ May 19 2006, 10:08 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Unfortunately after manually visiting your page to figure out the rules, it shouldn't be too difficult to spam it. There's nothing stopping someone from using their spamming tool to go through the page and automatically look at the numbers to generate a valid result.

The reason why the CAPTCHAs using images are useful is the fact that it's difficult to write a program that can recognize the characters (numbers, letters etc) that are distorted in the picture.

[a href=\"http://en.wikipedia.org/wiki/Captcha\" target=\"_blank\"]http://en.wikipedia.org/wiki/Captcha[/a]
[/quote]

Have to agree with this one. I also recently saw an article about using a 3x3 matrix (9 images), 3 of which were kittens and the rest weren't. The user had to click the 3 kittens before it would let them submit the form. Here's the link if you want to read it over -

[a href=\"http://www.thepcspy.com/articles/security/the_cutest_humantest_kittenauth\" target=\"_blank\"]http://www.thepcspy.com/articles/security/...test_kittenauth[/a]
Instant Access - PHP5 / MySQL5 Web Hosting Starting At $2.99 / Month - [a href="http://www.reflex-hosting.com" target="_blank"]http://www.reflex-hosting.com[/a]

#7 insrtsnhere13

insrtsnhere13
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 20 May 2006 - 10:49 AM

yea, i knew this wasnt as good as a captcha code but i think that for a minimum threat level site, this would be more then enough to prevent someone from costantly spamming, or stop a simple program

#8 insrtsnhere13

insrtsnhere13
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 20 May 2006 - 11:19 AM

went through this morning and wrote some code..
heres what I came up with, I think it works pretty good!!

<?php
if(!isset($_POST[submit])) {

$number = rand(0, 1000);
$number2 = $number + 13;
echo "Please enter a number greater than ".$number." and less than ".$number2;
?>
<form method="POST" action="<?php $_SERVER["PHP_SELF"] ?>"
<input type="text" name="usernumber" size="10">
<input type="hidden" name="number" value="<?php echo "$number"; ?>"
<input type="hidden" name="number2" value="<?php echo "$number2"; ?>"
<input type="submit" name="submit" value="Submit">
</form>
<?php 
}else{
  $usernumber = $_POST['usernumber'];
  $number = $_POST['number'];
  $number2 = $_POST['number2'];
  
  if ($usernumber > $number && $usernumber < $number2) {
    echo "Correct!! $usernumber is inbetween $number and $number2";
}else { echo "Try again!!"; }
}
?> 


#9 shoz

shoz
  • Staff Alumni
  • Advanced Member
  • 600 posts

Posted 20 May 2006 - 01:34 PM

yea, i knew this wasnt as good as a captcha code but i think that for a minimum threat level site, this would be more then enough to prevent someone from costantly spamming, or stop a simple program

It wouldn't take a very complicated script to spam the site. The way you have it coded now means that the numbers are user submitted values. So, the tool can send whatever numbers it likes.

Keep in mind that I'm not trying to discourage you. It's a good thing to be thinking about ways to secure your site and you should continue doing so.

The "d" from the fread line has been removed to allow the post to the forum to go through.
<?php
$host = 'yoursite.com';
$path = '/path/to/script.php';
$content = 'usernumber=1&number=0&number2=2&submit=Submit';
$length = strlen($content);

$header = "POST $path HTTP/1.0\r\n"
        ."Host: $host\r\n"
        ."Content-Length: $length\r\n"
        ."Connection: close\r\n"
        ."\r\n"
        ."$content";
$fp = fsockopen($host, 80, $errno, $errstr, 15);
if(!$fp)
{
    print "couldn't connect<br />\n";
    exit;
}
if (FALSE === fwrite($fp, $header))
{
    print "couldn't write to socket<br />\n";
    exit;
}
$output = '';
while (!feof($fp) )
{
     //The "d" from the end of fread has been removed here
    $output .= frea($fp, 2048);
}
print $output;

?>
EDIT: Btw, I do realize that you're saying that you're not trying to come up with a solution as effective as a CAPTHA but I think you're also saying that you don't want to come up with a solution thats very easy to break either.

#10 insrtsnhere13

insrtsnhere13
  • Members
  • PipPipPip
  • Advanced Member
  • 64 posts

Posted 21 May 2006 - 03:17 AM

[!--quoteo(post=375493:date=May 20 2006, 09:34 AM:name=shoz)--][div class=\'quotetop\']QUOTE(shoz @ May 20 2006, 09:34 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
It wouldn't take a very complicated script to spam the site. The way you have it coded now means that the numbers are user submitted values. So, the tool can send whatever numbers it likes.

Keep in mind that I'm not trying to discourage you. It's a good thing to be thinking about ways to secure your site and you should continue doing so.

The "d" from the fread line has been removed to allow the post to the forum to go through.
<?php
$host = 'yoursite.com';
$path = '/path/to/script.php';
$content = 'usernumber=1&number=0&number2=2&submit=Submit';
$length = strlen($content);

$header = "POST $path HTTP/1.0\r\n"
        ."Host: $host\r\n"
        ."Content-Length: $length\r\n"
        ."Connection: close\r\n"
        ."\r\n"
        ."$content";
$fp = fsockopen($host, 80, $errno, $errstr, 15);
if(!$fp)
{
    print "couldn't connect<br />\n";
    exit;
}
if (FALSE === fwrite($fp, $header))
{
    print "couldn't write to socket<br />\n";
    exit;
}
$output = '';
while (!feof($fp) )
{
     //The "d" from the end of fread has been removed here
    $output .= frea($fp, 2048);
}
print $output;

?>
EDIT: Btw, I do realize that you're saying that you're not trying to come up with a solution as effective as a CAPTHA but I think you're also saying that you don't want to come up with a solution thats very easy to break either.
[/quote]

Uhhh.. im not wuite sure, but i dont think this has anything to do with my post.. other than the info at the top about not trying to discourage me, and in regards to the script being able to enter whatever number it wants, since the numbers are randomly generated, a random number generator wouldnt work.. unless the script was actually made for this specific code.. and yes, this is not a maximum security code, just a thought on security thats a little easier to understand than a captcha


#11 shoz

shoz
  • Staff Alumni
  • Advanced Member
  • 600 posts

Posted 21 May 2006 - 04:52 AM

$usernumber = $_POST['usernumber'];
$number = $_POST['number'];
$number2 = $_POST['number2'];

All of the above are user submitted values. That means that someone can send any numbers they choose. The code posted is an example to demonstrate that.

and in regards to the script being able to enter whatever number it wants, since the numbers are randomly generated, a random number generator wouldnt work.. unless the script was actually made for this specific code.

I don't quite follow the comment about being "made for this specific code", but no numbers are being randomly generated in the script I posted. The same numbers will be sent each time the script is run and with success because as mentioned previously, it's the user that determines what numbers are sent.

this is not a maximum security code, just a thought on security thats a little easier to understand than a captcha

Only you can tell how difficult you want to make the process of spamming your site. From your posts however, I've gotten the impression that you think the code is more effective than it is. Which is why I've tried to show the problems with it.

The use of sessions should allow the idea as I think you see it, to be realized. Using sessions should allow you to truly control what the number range is.

EDIT: Clicking "Refresh/Reload" in your browser should also demonstrate the problem in another way.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users