TriLogic Sandbox

Some time ago I received an email from a scammer looking to hijack my paypal account. I could tell that the URLs had nothing to do with PayPal but visually the phishing website itself was a dead ringer. I wondered just how many of the innocent unaware this filthy coward would steal from before he was stopped. I think thieves are the worst sort of people and they disgust me so I threw together a quick VB6 application that generated some very real looking data and posted it to the website though Internet Explorer as fast as the site would accept it. Shortly after I hammered 275,000+ form submissions in the site went offline. While Scammer Hammer will never make it to the downloads section the Classic ASP project it inspired can already be found there.

I had discovered that it was pretty easy to write a script to fill up a database. I didn’t want anyone doing the same to any legitimate form I put online so I wrote an ASP based form obfuscator to prevent such nastiness from happening to me.

Enter Nobots.

Nobots is a VBScript class designed to let you name your form and input elements dynamically. So name=”login” becomes name=”F02421″ and name=”passwd” becomes name=”X5543″. Even the submit button gets a new random name and/or id. The mapping of the input elements real names to dynamic names is stored in an encrypted hidden input called “xref” that gets submitted along with the form.

Processing goes something like this: When the user requests the page the input element names are added to the Nobots instance and as each one is added you get the dynamic name/id of that element to write into your form. Finally you write the nobots xref hidden imput (or store it in session) and close your form.

An automated client will NEVER see the same set of inputs twice – nor the same input form either. Unless you can decode the xref field it is almost impossible to automate form data submission against the form in any meaningful way because the input names change every time. You can prevent bot writers from using one “set” of nobots field names by adding a random number or time stamp key to the xref value each time and then comparing it to a value in session when the form is submitted – if they don’t match chances are it’s a hacking attempt.

Of course no system is unbeatable. A hacker can simply drive your form through Internet Explorer and fill in the text fields positionally and even clicking your submit button based upon the button’s text. But there’s more effort involved and there are easier targets than an obfuscated form to hack. Combine Nobots with a decent Captcha and delay script and it can go a long way to preventing hackers and bogus data attacks. If nothing else it will keep away the script kiddies.