This topic has been archived. It cannot be replied.
-
工作学习 / 专业技术讨论 / 求助:一个简单asp request form (sending email) 遭恶意攻击,每一分钟就收到一个form,内容就象真的,有不同的人名和地址,但是form中有两个required fields是空白的。所以肯定是有人捣乱。求助:一个简单asp request form (sending email) 遭恶意攻击,每一分钟就收到一个form,内容就象真的,有不同的人名和地址,但是form中有两个required fields是空白的。所以肯定是有人捣乱。想了一晚上了,不知道怎么办。现web site已经停了。我怀疑是有人直接调用后台script来submit form。ASP 怎样确保所有请求必须从本机发出才能执行?多谢了.............
-shinning(dudu);
2005-9-7
{334}
(#2490047@0)
-
No need. There used to be a web stress tool by Microsoft which you can use to test the performance of a website by repeatly submit post or get action. By using that tool, they can submit the form100 times per second or more for stress testing.
-jeffrey815(Smartiecat);
2005-9-7
{48}
(#2490103@0)
-
any more suggestion? so I can modify the asp script, make it more sucure.....THanks a lot
-shinning(dudu);
2005-9-7
(#2490211@0)
-
find the ip address then block it
-ywgan(gary);
2005-9-7
(#2490138@0)
-
the website is on a shared web server. it's not easy, the ISP always says that it's the script I create, I must make it more secure........any more suggestions?.........THX
-shinning(dudu);
2005-9-7
(#2490204@0)
-
真的着急啊,老板正逼着我改程序哪。。。有没有其他建议啊。。谢谢了
-shinning(dudu);
2005-9-7
(#2490305@0)
-
一点建议你所能做的就是防止别人利用程序恶意自动提交form.
解决的办法你可以参考yahoo的用户注册page。
下面是一点提示,
它好像是在页面中放上一个picture, picture 上面有随机产生的数字和字母。
页面提交时要求user输入picture的内容,这样就可以防止程序自动注册了。
-lq1600k(LQ1600K);
2005-9-7
{252}
(#2490404@0)
-
Thanks........:)
-shinning(dudu);
2005-9-7
(#2490434@0)
-
Check out those Request.Server Variables, It may help you to find out if it is submitted from your own website.
-guestagain(guest again);
2005-9-7
(#2490439@0)
-
thanks a lot, working on it..........
-shinning(dudu);
2005-9-7
(#2490505@0)
-
In ASP first check the form中两个required fields. If they are empty then reject the submission and do nothing.
-schen(睹往睹来);
2005-9-7
(#2490559@0)
-
too simple too naive
-gr8gta(gr8gta);
2005-9-7
(#2490567@0)
-
yet, very effective :)
-schen(睹往睹来);
2005-9-7
(#2490913@0)
-
I have already try this , and I still got response forms with full info.........are they smart?
-shinning(dudu);
2005-9-7
(#2491066@0)
-
for Request.Server Variables, I can't find any object can help.....any other object can help me find out if it is submitted from my own website...????
-shinning(dudu);
2005-9-7
(#2490572@0)
-
check the HTTP_REFERER to see where the form is submitted from. For internal use only, also check the client's IP address. However, all these are very easier being tempered with. Do not rely on them.
-mutantx(阿吉);
2005-9-7
(#2490659@0)
-
no use. header can be easily manipulated.
-jeffrey815(Smartiecat);
2005-9-7
(#2490670@0)
-
I'm checking now...THX
-shinning(dudu);
2005-9-7
(#2490706@0)
-
Have a look at this article. It may give you some ideas about how to build Secure Web Applications. >>>
-mutantx(阿吉);
2005-9-7
(#2490672@0)
-
wa.......it's so long....Thanks........:)
-shinning(dudu);
2005-9-7
(#2490737@0)
-
I add Request.Server Variables(HTTP_REFERER) to every page, but I still got lot of forms with email..... please help.. I'm almost creazy
-shinning(dudu);
2005-9-7
(#2490904@0)
-
they all from diffrent IP address and diffrent info, looks like real...but that request form is not public to the client yet......that why I know this not real data....
-shinning(dudu);
2005-9-7
(#2490917@0)
-
头痛,先回家了,谢谢大家。真是见鬼了,所有数据就跟真的一样,人名,地址没有重样的,还每一条问题都回答。现在只能改掉文件名先不用了。走了。。。明天继续战斗.谢谢
-shinning(dudu);
2005-9-7
(#2491085@0)
-
remove the page link from the doc_root, in another word, if the website is not published now, make the the link of the page (which contains the form) as broke link. so no one knows the link except u.
-647i(-);
2005-9-8
(#2491870@0)