Hardware Secrets
Home | Camera | Case | CE | Cooling | CPU | Input | Memory | Mobile | Motherboard | Networking | Power | Storage | Video | Other
Content
Articles
Editorial
First Look
Gabriel’s Blog
News
Reviews
Tutorials
Main Menu
About Us
Awarded Products
Datasheets
Dictionary
Download
Drivers
Facebook
Links
Manufacturer Finder
Newsletter
RSS Feed
Test Your Skills
Twitter
Newsletter
Subscribe today!
Search
Recommended
Networking Bible
Networking Bible, by Barrie Sosinsky (Wiley), starting at $14.49


Home » Networking
Testing the Security of Your Website – Part 2
Author: Gabriel Torres 10,817 views
Type: Tutorials Last Updated: October 24, 2013
Page: 2 of 4
Contact Forms

Contact forms prevent spamming software from collecting your email address. However, if they are not built right, they can expose your email address anyway. And if the script behind the contact form has a security flaw, hackers can exploit it and use your website to send out spam. This is a very serious and, unfortunately, common problem. If your website is hacked to send out spam, in a matter of minutes your domain will be blacklisted and you will have trouble sending legit emails.

First, let’s talk about the basics. The HTML code of the contact form should not expose any email address. In Figure 1, you can see the code of a contact form on a website that has this problem. Notice, where we put the red arrows, how the destination email addresses are present in the HTML form. This means that when the user selects a “contact department”, the form is the one doing the conversion between “departments” and email addresses. This should not be done: as explained, the email addresses are publicly exposed this way.

Email addresses exposed on a contact form
click to enlarge
Figure 1: Email addresses exposed on a contact form

Instead, the email address should not be exposed in the HTML code, and the script where the data is sent should be able to decode this request and send the message to the appropriate email address. In other words, the conversion between an alias (“department”) and an email address must be done behind the scenes, away from privy eyes.

Of course, you should not use an alias that is just the first part of the email address or use an obvious email address, as these are too easy to guess by spamming software. For example, if you have a contact option (“department”) called “research,” do not create an email called research@yoursite.com; this is too obvious and easy to guess.

The addition of verification code on contact forms, also known as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), is a must. You probably have seen this a lot, as either an image with random letters and numbers that you must repeat or a challenge question such as “what is the result of 1 + 1 - 2?” This should be done to prevent the use of spamming programs that try to send out spam in an automated way using your contact form. Even if your contact form does not have a security flaw that allows spammers to use your contact form to send out spam to other people, you will get a lot of spam on your email address coming from your contact form.

Use of a CAPTCHA code
click to enlarge
Figure 2: Use of a CAPTCHA code

Print Version | Send to Friend | Bookmark Article « Previous |  Page 2 of 4  | Next »

Related Content
  • Testing Your Computer Security
  • Protecting Your Computer Against Invasions
  • Intel LaGrande Technology Explained
  • Testing the Security of Your Website – Part 1
  • Testing the Security of Your Website – Part 3

  • RSSLatest Content
    ASRock D1800B-ITX Motherboard
    September 18, 2014 - 3:20 AM
    PNY XLR8 120 GiB SSD Review
    September 10, 2014 - 3:30 PM
    ASRock D1800M Motherboard
    September 8, 2014 - 1:37 PM
    Samsung Chromebook Review
    September 2, 2014 - 6:30 PM
    ASUS H97-PRO GAMER Motherboard
    August 22, 2014 - 2:26 PM
    Kingston HyperX FURY 240 GiB SSD Review
    August 18, 2014 - 2:26 PM







    © 2004-14, Hardware Secrets, LLC. All rights reserved.
    Advertising | Legal Information | Privacy Policy
    All times are Pacific Standard Time (PST, GMT -08:00)