Can someone explain what the new feature "Webform Security" is for?

Report · Apr 22, 2012

I notice there is a new field called "Webform Security" which inserts { module_ccsecurity ] into the form code but I have no idea what this is for and there is no reference to this module in the knowledgebase.

Can anyone offer some details?

Report · Apr 22, 2012

It's a form-spam trap. This will insert input fields that do not appear to "real" visitors, but "robots" will insert content into them -- and the form will error out.

Report · Apr 22, 2012

Well that's an interesting piece of news - great if it works as it woll resolve certain issues I am having. Where does BC give mention to this?

Is this a 2nd level of security we should add in on top of CAPTCHA or is this an alternative to CAPTCHA? It wuld be god to know the context of using this funtion.

Thanks for the heads up FriscoTX

Report · Apr 22, 2012

It is under eCommerce section so double check that it works in normal forms.

Things like Shipping address for example if you put that in a web form that is not used under the eCOmmerce layout it will do NOTHING. It will store no data anywhere in the system

I am guess the CC is for Credit card stuff. I will try touch base with support guys and find out.

Report · Apr 23, 2012

I look forward to seeing what support come back with as it seems it might be helpful to understand how this really works (or doesn't work as the case may be..).

Thanks Liam

Report · Apr 22, 2012

If you have Firefox and the Web Developer add-on, use the "Populate Forms Fields" on such a form to see the error that gets triggered. No error when you manually complete the form.

Seems like it can work either as an alternative or a 2nd level to a CAPTCHA.

No documentation anywhere that I can find. I think this came out right around the time Adobe bought out BC. Think I asked about it either in a ticket or back in the days when they offered support webinars twice a week.

Report · Apr 23, 2012

Thats part of the captcha.

That has been doing that and had the hidden field for some time.

Add captcha and try it.

Report · Apr 23, 2012

Was not in back then, as part of the captcha as I mentioned, but not the security one. Finding out for everyone what this actually is.

Report · Apr 23, 2012

Hi guys,

That module is there for CSRF protection. Youc an read more about it here http://en.wikipedia.org/wiki/Cross-site_request_forgery

If you place that module within the form tags on the page it will render a field such as this:

Cheers,

Mario

Report · Apr 24, 2012

Thanks for the reference Mario but I am afraid I am just not technical enough to appreciate what it was trying to say. Can anyone put in simple terms whan and why we should or should not need to use this module call? It seems that the module is imortant for security but there is no explanation as to whether we should or should not use and the impact of using it. Liam alluded to this in part but it seems as though even Liam who has great answers to almost everything is a bit light on detail hear. If Liam struggles then us mere mortals are in big trouble.

Insight into this in functional terms not technical might help a lot of us out and possibly educate some of us. I am quite surprised this has not been raised elsewhere or is it just something about me?

Report · Apr 24, 2012

Had a look and asked for more info.

Greg, Basically do not use it.

Something that should be on by default and half implemented in the system.

If you want to avoid spam, keep to the captcha for now.

Report · Apr 24, 2012

Thanks Liam... I will just remain ignorant of this undocumented feature that should not probably be used...

Report · Apr 24, 2012

There are quite a few

Report · May 17, 2012

I don't understand why would you want to avoid using it where it is a CSRF protection. If you google CSRF protection, you'll find more explanations about it. But I guess the BC Team need to document this new feature asap.

The CSRF (Cross Site Request Forgeries) is a type of attack that occurs when a malicious Web site contains a link, a form button or some javascript that is intended to perform some action on your Web site, using the credentials of a logged-in user who visits the malicious site in their browser. A related type of attack, ‘login CSRF’, where an attacking site tricks a user’s browser into logging into a site with someone else’s credentials, is also covered.

But it is a great add on.

Report · May 18, 2012

Log into your bank, stay logged in and open a new tab. Then visit another site on the internet.

Now lets pretend that on this other site, someone (like the site administrator or a commentor) included a link that pointed to a url such as http://www.YourBank.com/TransferMoney?FromAccount=12345&ToAccount=54321&Amount=1000 and then you clicked the link, the bank would think you were making a legitimate transfer request becuase you were still logged in.

Fair enough, but you probably wouldn't click that link because you're smarter than that. Unfortunately your browser isn't so smart, and it doesn't have to be a link. They could have included an image tag, or css style sheet or javascript file that pointed to that url and your browser would have automatically "clicked" the link on your behalf when it tried to download the resource.

Thats CSRF in a nutshell.

There are ways to mitigate this danger, but its up to site owner (the bank in this example) to make sure this can't happen. As an end user it's mostly out of your hands. This tag appears to be BC's way to mitigate this, and it appears to be similar to other soultions to this problem.

I don't know if it works though, it's not docummented, so your guess is as good as mine. Either way its probably a good idea to include it on your forms.

Report · May 18, 2012

Not fully as its only half the sollution as it were. They have also made similar changes to web forms and the action but there do seem to be some issues with that too which are coming through.

Adobe Community

Can someone explain what the new feature "Webform Security" is for?