Page 1 of 1
Multiple Form Submissions
Posted: Fri Feb 19, 2010 7:19 am
by timWebUK
Hi,
I've been looking into spam prevention on forms to prevent multiple requests being made to the form... captchas, throttling, banning IPs etc.
However, I don't understand how they can make so many requests at once to a form and populate it? Obviously they don't use AJAX as that doesn't work across different domains, my field names aren't populated via $_GET. Just an understanding would be helpful if someone could let me know.
Re: Multiple Form Submissions
Posted: Fri Feb 19, 2010 10:47 am
by flying_circus
Hey Tim,
Can you tell us more about what safegaurds are already in place in your forms? Are you sure the requests received are actually coming directly from your form and are not forged?
This is something I'm interested in as well

Re: Multiple Form Submissions
Posted: Fri Feb 19, 2010 11:59 am
by timWebUK
Well it was a completely hypothetical question, I'm not getting any problems. I was more interested in how they actually do it, I mean, I know there is Javascript injection that can be used to populate a form, but how can this be automated and called many times when AJAX just doesn't work cross domains unless specified?
In answer to your question, what I have on my forms is an anti-CSRF token currently generated upon form loading, also a HTTP Referer check (I know this is easily forged, but another layer is always good... going by 'defense in depth' I read in a book by Chris Shiflett.) Currently I have a 6 character captcha as well generated from a substr of an MD5 hash of a random number - this is there on every form submittal but I'm going to look into causing it to appear after several form submittals from the same IP.
Re: Multiple Form Submissions
Posted: Sat Feb 20, 2010 3:52 am
by kaisellgren
timWebUK wrote:I don't understand how they can make so many requests at once to a form and populate it?
Opening sockets to your server and sending POST requests. Crackers do not necessarily use the web browser to send requests.
Re: Multiple Form Submissions
Posted: Sat Feb 20, 2010 5:37 pm
by timWebUK
Ah thanks, I was unfamiliar with sockets. I'll have a look into them! Seems quite interesting stuff.