Getting through captcha
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz CAPTCHA
Forum Description: Support forum for the Web Wiz CAPTCHA security image.
URL: https://forums.webwiz.net/forum_posts.asp?TID=27931
Printed Date: 28 March 2026 at 2:24am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Getting through captcha
Posted By: freakyfred
Subject: Getting through captcha
Date Posted: 11 October 2009 at 6:48pm
Replies:
Posted By: freakyfred
Date Posted: 11 October 2009 at 6:55pm
I'm using this line fo code
elseIf Request("CAPTCHA_Postback") AND blnCAPTCHAcodeCorrect = False Then
response.write("The Captcha code is incorrect")
elseif
execute email code here
surely the it should trip on that before it reaches the emailing bit?
|
Posted By: 123Simples
Date Posted: 11 October 2009 at 7:01pm
I'm not sure freakyfred but I know Scotty32 and Bruce will have a better answer, but I'm guessing it should say:
If Request("CAPTCHA_Postback") AND blnCAPTCHAcodeCorrect = False Then
response.write("The Captcha code is incorrect")
else
execute email code here
end if file:///C:%5CUsers%5CDoug%5CAppData%5CLocal%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml" rel="nofollow -
|
Posted By: 123Simples
Date Posted: 11 October 2009 at 7:02pm
Also, try using Javascript on your form to help cut down on automated submissions
-------------
http://www.123simples.com/" rel="nofollow - Visit 123 Simples Web Design
|
Posted By: freakyfred
Date Posted: 11 October 2009 at 8:01pm
Posted By: WebWiz-Bruce
Date Posted: 12 October 2009 at 11:10am
Are you using CDOSYS to send the email?
If so you need to parse the data submitted.
For example you can include 100's of email address separated by a semicolon in the subject line CSDOSYS will send the email to each of these email addresses.
You can prevent this by parsing the data submitted for the subject line shortening the length to say 100 characters and removing any semicolons (;)
Using JavaScript to validate the form, or using the size of a textbox will not work as these are both client side and can easily be changed by turning off javascript in the browser and using a browser plugin to modify the form input fields.
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: freakyfred
Date Posted: 12 October 2009 at 11:33am
Posted By: WebWiz-Bruce
Date Posted: 12 October 2009 at 12:23pm
Unless you have modified the CAPTCHA code they would only be able to submit the once before having to generate a new CAPTCHA code and entering it to be able to submit again.
It could well be that they are only submitting once to send the email 100's of times. I can see from your code that you are not parsing the user input and only using Request to get the data.
This is very dangerous as the data can be submitted using either GET or POST, also you are not parsing it to remove any malicious code.
The person submitting the malicious code could easily send a request to the server that contained 100's of email address. Most mail servers, if they receive a list of email addresses separated by a semicolon will send that email to ALL those email addresses in the list.
You should rewrite your code to only allow submissions using POST from a form. You should then also parse the data to remove any malicious code such as semicolons from the email_to field and also any tags < and > from all the fields submitted.
This is the very lease you should do to remove any malicious code as there are lots of different hacking techniques to get mail servers to relay on 1000's of emails just from a single form submission.
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: freakyfred
Date Posted: 12 October 2009 at 12:59pm
Posted By: WebWiz-Bruce
Date Posted: 12 October 2009 at 1:54pm
The CAPTCHA code is stored in a session, once this has been submitted the session variable is destroyed so you have to generate a new CAPTCHA code and submit is again.
The JavaScript they use doesn't matter at all. The problem is your own code you posted before, it is VERY dangerous for the reason that I listed earlier as you do not parse the user submitted data before you use it.
You need to go back to your own code and parse each and every piece of data submitted removing any malicious code before you use it. This has to be done server side, not using JavaScript.
You should never use Request("xxx") directly you should always place this into a variable and then parse the variable for malicious code before you use it.
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: freakyfred
Date Posted: 12 October 2009 at 1:57pm
|
I think I know where you are coming from. Thanks for your help.
|
Posted By: WebWiz-Bruce
Date Posted: 12 October 2009 at 2:01pm
This being for email pay particular attention to removing semicolons (;) as this can be used to list multiple email address for a single submission hack that will relay to 1000's of email addresses in one go.
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: freakyfred
Date Posted: 12 October 2009 at 2:35pm
|
it doesn't work like that it uses numbers but i have removed all requests from the main parts
|
|