Skip navigation
Currently Being Moderated

Can someone explain what the new feature "Webform Security" is for?

Apr 22, 2012 1:41 PM

Tags: #security #webform

I notice there is a new field called "Webform Security" which inserts { module_ccsecurity ] into the form code but I have no idea what this is for and there is no reference to this module in the knowledgebase.

 

Can anyone offer some details?

 
Replies
  • Currently Being Moderated
    Apr 22, 2012 5:43 PM   in reply to Greg.Tomkins

    It's a form-spam trap. This will insert input fields that do not appear to "real" visitors, but "robots" will insert content into them -- and the form will error out.

     
    |
    Mark as:
  • Liam Dilley
    6,694 posts
    Feb 28, 2012
    Currently Being Moderated
    Apr 22, 2012 5:56 PM   in reply to Greg.Tomkins

    It is under eCommerce section so double check that it works in normal forms.

    Things like Shipping address for example if you put that in a web form that is not used under the eCOmmerce layout it will do NOTHING. It will store no data anywhere in the system

    I am guess the CC is for Credit card stuff. I will try touch base with support guys and find out.

     
    |
    Mark as:
  • Currently Being Moderated
    Apr 22, 2012 5:59 PM   in reply to Greg.Tomkins

    If you have Firefox and the Web Developer add-on, use the "Populate Forms Fields" on such a form to see the error that gets triggered. No error when you manually complete the form.

     

    Seems like it can work either as an alternative or a 2nd level to a CAPTCHA.

     

    No documentation anywhere that I can find.  I think this came out right around the time Adobe bought out BC. Think I asked about it either in a ticket or back in the days when they offered support webinars twice a week.

     
    |
    Mark as:
  • Liam Dilley
    6,694 posts
    Feb 28, 2012
    Currently Being Moderated
    Apr 23, 2012 12:05 AM   in reply to FriscoTX

    Thats part of the captcha.

    That has been doing that and had the hidden field for some time.

    Add captcha and try it.

     
    |
    Mark as:
  • Liam Dilley
    6,694 posts
    Feb 28, 2012
    Currently Being Moderated
    Apr 23, 2012 4:56 AM   in reply to FriscoTX

    Was not in back then, as part of the captcha as I mentioned, but not the security one. Finding out for everyone what this actually is.

     
    |
    Mark as:
  • mario_gudelj
    1,679 posts
    Oct 13, 2010
    Currently Being Moderated
    Apr 23, 2012 4:55 PM   in reply to Liam Dilley

    Hi guys,

     

    That module is there for CSRF protection. Youc an read more about it here http://en.wikipedia.org/wiki/Cross-site_request_forgery

     

    If you place that module within the form tags on the page it will render a field such as this:

     

    <input type="text" name="s_summary" id="s_summary" class="cat_textbox" value="acade4971bb94d2b936f17bc36a35ba4" style="display:none">

     

    Cheers,

     

    Mario

     
    |
    Mark as:
  • Liam Dilley
    6,694 posts
    Feb 28, 2012
    Currently Being Moderated
    Apr 24, 2012 5:08 AM   in reply to Greg.Tomkins

    Had a look and asked for more info.


    Greg, Basically do not use it.

    Something that should be on by default and half implemented in the system.

    If you want to avoid spam, keep to the captcha for now.

     
    |
    Mark as:
  • Liam Dilley
    6,694 posts
    Feb 28, 2012
    Currently Being Moderated
    Apr 24, 2012 3:14 PM   in reply to Greg.Tomkins

    There are quite a few

     
    |
    Mark as:
  • Currently Being Moderated
    May 17, 2012 3:20 AM   in reply to Greg.Tomkins

    I don't understand why would you want to avoid using it where it is a CSRF protection. If you google CSRF protection, you'll find more explanations about it. But I guess the BC Team need to document this new feature asap.

     

    The CSRF (Cross Site Request Forgeries) is a type of attack that occurs when a malicious Web site contains a link, a form button or some javascript that is intended to perform some action on your Web site, using the credentials of a logged-in user who visits the malicious site in their browser. A related type of attack, ‘login CSRF’, where an attacking site tricks a user’s browser into logging into a site with someone else’s credentials, is also covered.

     

     

    But it is a great add on.

     
    |
    Mark as:
  • Currently Being Moderated
    May 18, 2012 2:02 PM   in reply to Greg.Tomkins

    Log into your bank, stay logged in and open a new tab. Then visit another site on the internet.

     

    Now lets pretend that on this other site, someone (like the site administrator or a commentor) included a link that pointed to a url such as http://www.YourBank.com/TransferMoney?FromAccount=12345&ToAccount=5432 1&Amount=1000 and then you clicked the link, the bank would think you were making a legitimate transfer request becuase you were still logged in.

     

    Fair enough, but you probably wouldn't click that link because you're smarter than that.  Unfortunately your browser isn't so smart, and it doesn't have to be a link.   They could have included an image tag, or css style sheet or javascript file that pointed to that url and your browser would have automatically "clicked" the link on your behalf when it tried to download the resource.

     

    Thats CSRF in a nutshell.

     

    There are ways to mitigate this danger, but its up to site owner (the bank in this example) to make sure this can't happen. As an end user it's mostly out of your hands. This tag appears to be BC's way to mitigate this, and it appears to be similar to other soultions to this problem.

     

    I don't know if it works though, it's not docummented, so your guess is as good as mine.  Either way its probably a good idea to include it on your forms.

     
    |
    Mark as:
  • Liam Dilley
    6,694 posts
    Feb 28, 2012
    Currently Being Moderated
    May 18, 2012 6:03 PM   in reply to Erick - BCGurus.com

    Not fully as its only half the sollution as it were. They have also made similar changes to web forms and the action but there do seem to be some issues with that too which are coming through.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points