Hardware Secrets
Home | Camera | Case | CE | Cooling | CPU | Input | Memory | Mobile | Motherboard | Networking | Power | Storage | Video | Other
First Look
Gabriel’s Blog
Main Menu
About Us
Awarded Products
Manufacturer Finder
RSS Feed
Test Your Skills
Subscribe today!
Networking Bible
Networking Bible, by Barrie Sosinsky (Wiley), starting at $23.47
Home » Networking
Testing the Security of Your Website – Part 2
Author: Gabriel Torres 12,960 views
Type: Tutorials Last Updated: October 24, 2013
Page: 2 of 4
Contact Forms

Contact forms prevent spamming software from collecting your email address. However, if they are not built right, they can expose your email address anyway. And if the script behind the contact form has a security flaw, hackers can exploit it and use your website to send out spam. This is a very serious and, unfortunately, common problem. If your website is hacked to send out spam, in a matter of minutes your domain will be blacklisted and you will have trouble sending legit emails.

First, let’s talk about the basics. The HTML code of the contact form should not expose any email address. In Figure 1, you can see the code of a contact form on a website that has this problem. Notice, where we put the red arrows, how the destination email addresses are present in the HTML form. This means that when the user selects a “contact department”, the form is the one doing the conversion between “departments” and email addresses. This should not be done: as explained, the email addresses are publicly exposed this way.

Email addresses exposed on a contact form
click to enlarge
Figure 1: Email addresses exposed on a contact form

Instead, the email address should not be exposed in the HTML code, and the script where the data is sent should be able to decode this request and send the message to the appropriate email address. In other words, the conversion between an alias (“department”) and an email address must be done behind the scenes, away from privy eyes.

Of course, you should not use an alias that is just the first part of the email address or use an obvious email address, as these are too easy to guess by spamming software. For example, if you have a contact option (“department”) called “research,” do not create an email called research@yoursite.com; this is too obvious and easy to guess.

The addition of verification code on contact forms, also known as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), is a must. You probably have seen this a lot, as either an image with random letters and numbers that you must repeat or a challenge question such as “what is the result of 1 + 1 - 2?” This should be done to prevent the use of spamming programs that try to send out spam in an automated way using your contact form. Even if your contact form does not have a security flaw that allows spammers to use your contact form to send out spam to other people, you will get a lot of spam on your email address coming from your contact form.

Use of a CAPTCHA code
click to enlarge
Figure 2: Use of a CAPTCHA code

Print Version | Send to Friend | Bookmark Article « Previous |  Page 2 of 4  | Next »

Related Content
  • Testing Your Computer Security
  • Protecting Your Computer Against Invasions
  • Intel LaGrande Technology Explained
  • Testing the Security of Your Website – Part 1
  • Testing the Security of Your Website – Part 3

  • RSSLatest Content
    ASRock FM2A88X-ITX+ Motherboard
    April 27, 2015 - 2:40 AM
    GeForce GTX TITAN X Video Card Review
    April 22, 2015 - 4:00 AM
    A10-7800 CPU Review
    April 6, 2015 - 2:50 AM
    Samsung Galaxy A5 Smartphone Review
    March 31, 2015 - 2:47 AM
    A10-6800K vs. Core i3-4150 CPU Review
    March 25, 2015 - 3:15 AM
    Core i7-5960X CPU Review
    February 24, 2015 - 3:00 AM

    © 2004-15 Clube do Hardware, all rights reserved.
    Advertising | Legal Information | Privacy Policy
    All times are Pacific Standard Time (PST, GMT -08:00)