Click here to Skip to main content
13,300,654 members (54,035 online)
Click here to Skip to main content
Add your own
alternative version


44 bookmarked
Posted 6 Jul 2005

Prevent attacks on your website

, 6 Jul 2005
Rate this:
Please Sign up or sign in to vote.
Using a simple example, I'll explain how to prevent a program that can register thousands of dummy users to your database and play with your database and application performance.


There are many ways of attacking a website like SQL injection, by injecting script, Session hacking etc. And you'll get lot of articles at CodeProject about this. In this article, I am trying to explain the use of CAPTCHA (I am not going to explain what CAPTCHA is ... search it on CodeProject or Google if you have not implemented it.) to avoid registration of dummy users to your database by a computer program. Using a simple example, I'll explain how any program can register thousands of dummy users to your database and play with your database and application performance.

A sample application which can spoil your website:

Here we are going to create a Windows application and execute out a test. We'll use classic COM AxSHDocVw.AxWebBrowser control, along with MSHTML which provides Internet Explorer with complete HTML Document Object Model parsing.

In this example, we are using the following Windows ActiveX objects.

  • mshtml.tlb
  • SHDocVw.dll

You can find them in your “windows/system32” directory.

Steps we are going to perform:

  • Step 1 - Grab the registration page using the WebBrowser Control.
  • Step 2 - Using MSHTML we can locate various form fields of the registration page.
  • Step 3 - Generate random fields.
  • Step 4 - Submit the field values to the website for registration.

and we are going to repeat step 3 and 4 infinite times :)

Let us assume that a website is having a registration form with the following text fields.

  • UserId
  • First Name
  • Last Name
  • Password
  • Confirm Password

And a Submit button. Find the IDs of each field. Open the registration page in your normal browser and using View Source find the ID of each field.

Now let us go to the coding part of this application.

Load the registration page to the WebBrowser at the form load.

private void Form1_Load(object sender, System.EventArgs e)
    //get the registrations page URL
    string url="http://localhost:8181/TestApplication1/Registration.aspx";

    Object o = null;

    //fetch the page to your web browser.
    WebBrowser1.Navigate(url, ref o, ref o, ref o, ref o);

Now execute the code to register infinite users.

private void btnRegisterClick_Click(object sender, System.EventArgs e)
    // use the HTMLDocument interface of mshtml to simulate the registration process
    mshtml.HTMLDocument obj;
    string tempGuid,userId,firstName,LastName,password=string.Empty;
    //execute an infinite loop
            //get the random values for this user
            // assign the values to the form fields.

            // find the submit button to post the information to the website
            // execute the click of the submit button to post the information
            // Note if you can't find the submit button
            // by id then use the following approach
            // find it by index in the entire HTMLDocument
               mshtml.HTMLInputElement objbut;
            // failed :(
            // no problem we'll try again( try try until the site die ..)

I think the code above is self explanatory.

Let’s come to the solution part

To avoid this type of attacks on our website we need to allow only human users for registration not a computer program. The best approach for this is to write distorted text on the fly to an image and let the registrant identify the text written on the image so that every human can read that text. It’s very hard to read a distorted text written on an image by a computer application as explained above.

Sample screenshot

A vulnerable registration form.

Sample screenshot

More secured registration form.

To know more about CAPTCHA, you can browse The CAPTCHA Project. And to implement CAPTCHA in your web application, you can take the help of various articles published at CodeProject about CAPTCHA.


By this article, I just want to show that we should consider such small things to avoid big disasters later.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Prakash Kalakoti
India India
Its me Smile | :)

You may also be interested in...


Comments and Discussions

GeneralGood Article Pin
mad4tech7-Jul-05 1:56
sussmad4tech7-Jul-05 1:56 
GeneralRe: Good Article Pin
Prakash Kalakoti7-Jul-05 4:11
memberPrakash Kalakoti7-Jul-05 4:11 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.171207.1 | Last Updated 7 Jul 2005
Article Copyright 2005 by Prakash Kalakoti
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid