Notice: Undefined index: article1822 in /www/hardwaresecrets/article.php on line 5 Testing the Security of Your Website – Part 2 | Hardware Secrets
Hardware Secrets
Home | Camera | Case | CE | Cooling | CPU | Input | Memory | Mobile | Motherboard | Networking | Power | Storage | Video | Other
First Look
Gabriel’s Blog
Main Menu
About Us
Awarded Products
Manufacturer Finder
RSS Feed
Test Your Skills
Subscribe today!
Networking Bible
Networking Bible, by Barrie Sosinsky (Wiley), starting at $10.22

Home » Networking
Testing the Security of Your Website – Part 2
Author: Gabriel Torres 11,609 views
Type: Tutorials Last Updated: October 24, 2013
Page: 2 of 4
Contact Forms

Contact forms prevent spamming software from collecting your email address. However, if they are not built right, they can expose your email address anyway. And if the script behind the contact form has a security flaw, hackers can exploit it and use your website to send out spam. This is a very serious and, unfortunately, common problem. If your website is hacked to send out spam, in a matter of minutes your domain will be blacklisted and you will have trouble sending legit emails.

First, let’s talk about the basics. The HTML code of the contact form should not expose any email address. In Figure 1, you can see the code of a contact form on a website that has this problem. Notice, where we put the red arrows, how the destination email addresses are present in the HTML form. This means that when the user selects a “contact department”, the form is the one doing the conversion between “departments” and email addresses. This should not be done: as explained, the email addresses are publicly exposed this way.

Email addresses exposed on a contact form
click to enlarge
Figure 1: Email addresses exposed on a contact form

Instead, the email address should not be exposed in the HTML code, and the script where the data is sent should be able to decode this request and send the message to the appropriate email address. In other words, the conversion between an alias (“department”) and an email address must be done behind the scenes, away from privy eyes.

Of course, you should not use an alias that is just the first part of the email address or use an obvious email address, as these are too easy to guess by spamming software. For example, if you have a contact option (“department”) called “research,” do not create an email called; this is too obvious and easy to guess.

The addition of verification code on contact forms, also known as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), is a must. You probably have seen this a lot, as either an image with random letters and numbers that you must repeat or a challenge question such as “what is the result of 1 + 1 - 2?” This should be done to prevent the use of spamming programs that try to send out spam in an automated way using your contact form. Even if your contact form does not have a security flaw that allows spammers to use your contact form to send out spam to other people, you will get a lot of spam on your email address coming from your contact form.

Use of a CAPTCHA code
click to enlarge
Figure 2: Use of a CAPTCHA code

Print Version | Send to Friend | Bookmark Article « Previous |  Page 2 of 4  | Next »

Related Content
  • Testing Your Computer Security
  • Protecting Your Computer Against Invasions
  • Intel LaGrande Technology Explained
  • Testing the Security of Your Website – Part 1
  • Testing the Security of Your Website – Part 3

  • RSSLatest Content
    ASRock Z97 Anniversary Motherboard
    December 16, 2014 - 4:27 AM
    Gigabyte H81M-S2PH Motherboard
    December 12, 2014 - 3:05 AM
    Aerocool Dead Silence Case Review
    December 2, 2014 - 3:00 AM
    NZXT S340 Case Review
    November 27, 2014 - 3:45 AM
    AMD A4-5000 CPU Review
    November 26, 2014 - 3:10 AM
    Samsung Galaxy Note Pro 12.2 Tablet Review
    November 25, 2014 - 3:00 AM
    ASUS X99-PRO Motherboard
    November 5, 2014 - 3:00 AM
    ASRock QC5000-ITX Motherboard
    November 4, 2014 - 3:00 AM
    Gigabyte X99-UD3 Motherboard
    October 30, 2014 - 8:30 AM

    © 2004-14, Hardware Secrets, LLC. All rights reserved.
    Advertising | Legal Information | Privacy Policy
    All times are Pacific Standard Time (PST, GMT -08:00)