Web forms security

[Andy17]

Hey guys,

 

 

I couldn't find a security section, so I'll go ahead and post in this one.

 

I am fully aware of the basic security precautions in regards to input fields and "get" (from the URL). However, apart from inserting HTML/CSS/JavaScript code into a text field and changing the look of a website, I am interested in knowing what else is possible; I know how to protect my site from this, but I would also like to know exactly which threats I am protecting my site from. I am not asking you to tell me how to hack a website; I am just interested in knowing what else is possible for hackers to take advantage of if I did not deal with JavaScript code insertion in my text fields (I assume JavaScript is what is used the most?).

 

Say I have a login form on my website with unprotected fields, but no "gets" in my URL (forgot if there is another name for it, but no ?var=value in the URL) - which opportunities does the hacker have? Would it be possible to steal people's account information by providing them with a link with code in it if the site does not use "get"? Or some other way?

 

 

Thanks in advance!

[JonnoTheDev]

It is known as cross site scripting (XSS). Basically injecting paramaters or code into forms / urls to alter the functionality of a website. XSS attacks can also include SQL injection that may give the attacker data from your tables including user passwords or the ability to delete records or bypass login forms to protected areas.

[Andy17]

It is known as cross site scripting (XSS). Basically injecting paramaters or code into forms / urls to alter the functionality of a website. XSS attacks can also include SQL injection that may give the attacker data from your tables including user passwords or the ability to delete records or bypass login forms to protected areas.

 

Yes, I read a bit about it, but I found myself unsure what could actually be done to harm the website, because what I could think of would not really harm the website or the visitors (I am really a newbie at security, so I am not able to abuse open doors). I forgot to add "except SQL injections", but thanks for bringing it up. Could you please mention a few things that could be exploited with an insecure form?

 

Thanks for the reply.

[Daniel0]

It is known as cross site scripting (XSS). Basically injecting paramaters or code into forms / urls to alter the functionality of a website. XSS attacks can also include SQL injection that may give the attacker data from your tables including user passwords or the ability to delete records or bypass login forms to protected areas.

 

XSS and SQL injection are two entirely different attack vectors. A website isn't necessarily vulnerable to SQL injections if it's vulnerable to XSS or vice versa.

[JonnoTheDev]

XSS and SQL injection are two entirely different attack vectors. A website isn't necessarily vulnerable to SQL injections if it's vulnerable to XSS or vice versa.

OK, yes but as security is the general topic you should factor in preventative measures for both.

Could you please mention a few things that could be exploited with an insecure form?

If the form processing code also sends emails then your form could be used for spam.

If the processing code saves information to a database then you are open to SQL injection. Also, you often see CAPTCHA used on submission forms where the data is saved to your database and posted on your website such as social bookmarking or article submission. This is a measure to prevent automated programs submitting spam to your website to gain backlinks.