Click here to Skip to main content
Click here to Skip to main content

Prevent attacks on your website

, 6 Jul 2005
Rate this:
Please Sign up or sign in to vote.
Using a simple example, I'll explain how to prevent a program that can register thousands of dummy users to your database and play with your database and application performance.

Introduction

There are many ways of attacking a website like SQL injection, by injecting script, Session hacking etc. And you'll get lot of articles at CodeProject about this. In this article, I am trying to explain the use of CAPTCHA (I am not going to explain what CAPTCHA is ... search it on CodeProject or Google if you have not implemented it.) to avoid registration of dummy users to your database by a computer program. Using a simple example, I'll explain how any program can register thousands of dummy users to your database and play with your database and application performance.

A sample application which can spoil your website:

Here we are going to create a Windows application and execute out a test. We'll use classic COM AxSHDocVw.AxWebBrowser control, along with MSHTML which provides Internet Explorer with complete HTML Document Object Model parsing.

In this example, we are using the following Windows ActiveX objects.

  • mshtml.tlb
  • SHDocVw.dll

You can find them in your “windows/system32” directory.

Steps we are going to perform:

  • Step 1 - Grab the registration page using the WebBrowser Control.
  • Step 2 - Using MSHTML we can locate various form fields of the registration page.
  • Step 3 - Generate random fields.
  • Step 4 - Submit the field values to the website for registration.

and we are going to repeat step 3 and 4 infinite times Smile | :)

Let us assume that a website is having a registration form with the following text fields.

  • UserId
  • First Name
  • Last Name
  • Password
  • Confirm Password

And a Submit button. Find the IDs of each field. Open the registration page in your normal browser and using View Source find the ID of each field.

Now let us go to the coding part of this application.

Load the registration page to the WebBrowser at the form load.

private void Form1_Load(object sender, System.EventArgs e)
{
    //get the registrations page URL
    string url="http://localhost:8181/TestApplication1/Registration.aspx";

    Object o = null;

    //fetch the page to your web browser.
    WebBrowser1.Navigate(url, ref o, ref o, ref o, ref o);
}

Now execute the code to register infinite users.

private void btnRegisterClick_Click(object sender, System.EventArgs e)
{
    // use the HTMLDocument interface of mshtml to simulate the registration process
    mshtml.HTMLDocument obj;
    string tempGuid,userId,firstName,LastName,password=string.Empty;
    //execute an infinite loop
    while(true)
    {
        try
        {
            //get the random values for this user
            tempGuid=System.Guid.NewGuid().ToString();
            userId=tempGuid.Substring(0,9);
            firstName=tempGuid.Substring(3,12);
            LastName=tempGuid.Substring(11,10);
            password=tempGuid.Substring(10,8);
            // assign the values to the form fields.
            obj=(mshtml.HTMLDocument)WebBrowser1.Document;
            obj.getElementById("txtUserId").innerText=userId;
            obj.getElementById("txtFirstName").innerText=firstName;
            obj.getElementById("txtLastName").innerText=LastName;
            obj.getElementById("txtPassword").innerText=password;
            obj.getElementById("txtConfirmPassword").innerText=password;

            // find the submit button to post the information to the website
            // execute the click of the submit button to post the information
            obj.getElementById("btnSubmit").click();
            // Note if you can't find the submit button
            // by id then use the following approach
            // find it by index in the entire HTMLDocument
            /*
               mshtml.HTMLInputElement objbut;
               objbut=(mshtml.HTMLInputElement)obj.all.item("submit",0);
               objbut.click();
            */
        }
        catch
        {
            // failed :(
            // no problem we'll try again( try try until the site die ..)
        }
    }

I think the code above is self explanatory.

Let’s come to the solution part

To avoid this type of attacks on our website we need to allow only human users for registration not a computer program. The best approach for this is to write distorted text on the fly to an image and let the registrant identify the text written on the image so that every human can read that text. It’s very hard to read a distorted text written on an image by a computer application as explained above.

Sample screenshot

A vulnerable registration form.

Sample screenshot

More secured registration form.

To know more about CAPTCHA, you can browse The CAPTCHA Project. And to implement CAPTCHA in your web application, you can take the help of various articles published at CodeProject about CAPTCHA.

Conclusion

By this article, I just want to show that we should consider such small things to avoid big disasters later.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Prakash Kalakoti
Technical Lead
India India
Its me Smile | :)

Comments and Discussions

 
GeneralWebBrowser Auto Confirm dialog PinmemberSolitonAU20-Feb-09 2:10 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web02 | 2.8.140814.1 | Last Updated 7 Jul 2005
Article Copyright 2005 by Prakash Kalakoti
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid