Hi list
has got a good white paper on stopping the automated attacks
Regards
Paul

>From: Paul Kurczaba <seclists (AT) securinews (DOT) com>
>To: Chad Maniccia <wopazar (AT) gmail (DOT) com>
>CC: webappsec (AT) securityfocus (DOT) com
>Subject: Re: Script Based Attacks & Form Hacks
>Date: Thu, 21 Jul 2005 22:06:05 -0400
>
>To prevent automatic form submissions I use a custom written implementation
>of CAPTCHA (http://www.captcha.net/). This prevents robots from
>automatically setting up accounts. Many web developers do use client side
>JavaScript for controlling form submission data (ex. making sure all text
>boxes are filled, verifying email address structure, etc.) This is
>unprofessional and (could be) insecure. The form verification should be
>done on the server side.
>
>The following page I have set up:
>
>uses CAPTCHA to help prevent automatic submissions. If the CAPTCHA string
>is not entered, the form will not be processed by the server. You are free
>to create a Java program to test bypassing CAPTCHA.
>
>-Paul
>
>
>Chad Maniccia wrote:
>>Hi List,
>>
>thing I have not heard any one discuss is the use of automated
>>scripts and form hacking. I could easily write a Java program to
>>attack any ASP,JSP,PHP etc simply by viewing the page source to find
>>the parameters the form processor will be looking for. You could use
>>this to fill up some ones database with garbage bring the server to a
>>standstill or worse yet bypass all the fancy javascript you had on the
>>calling page. Some web applications actually use javascript to
>>calcualte currency transactions.
>>
>>What ideas do you guys have to protect yourself from these?
>>
>>
>>Thanks,
>>Chad
>
Dont just search. Find. Check out the new MSN Search!