: POST attack on my website I have a site (humanisms.co.uk) which incorporates a voting system, ie. user clicks "Up" and it sends a parameter to a PHP script via AJAX, the PHP inserts vote into
I have a site (humanisms.co.uk) which incorporates a voting system, ie. user clicks "Up" and it sends a parameter to a PHP script via AJAX, the PHP inserts vote into MYSQL db and the new "Up" vote is sent back to the page to update the vote count. This is working great but i've noticed that the number of votes for one of my questions shot up last night. I viewed my webhosts access logs and saw this line:
108.27.195.232 - - [03/Mar/2011:15:20:18 +0000] "POST /vote.php HTTP/1.1" 200 2 "http://www.humanisms.co.uk/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.114 Safari/534.16"
This is repeated well over 100 times and sometimes more than once a second. Now i know they probably arent sitting there clicking Vote but running some sort of PHP loop?
I'm not worried about SQL injection but what can i do to prevent this same IP address from doing this or what can i do in general to avoid this scenario.
I should also say that there's no login so anyone can click using the voting system.
Thanks
More posts by @Sarah324
3 Comments
Sorted by latest first Latest Oldest Best
The entire votes control can be injected with a javascript, so it's not part of the html source on your page. In order to boost 'security' and lessen the chance of abuse by automation you could
activate it's 'onclick' event only if you detect mouse moves within a range of that control.
within the server side script check for presence of a url referrer (at least the domain)
you can even calculate a hash of your 'caller' javascript method and send it in a disguised form to the 'voting' control to check if the 'onclick' has indeed originated from within your own script (the hash would be different within various browsers)
Etc.. But main starting point is to have the entire control injected with a javascript. This way it will also contribute to your Text/to HTML ratio on the page, as you'll have less crap within page content that a search engine sees (while it does not see the javascript)
And this way there is no need in using those dumb 'captchas' and claim your visitor's precious time by having them to prove they're not a robot...
From this question:
You could do several things including:
Use a CAPATCHA like reCAPTCHA
Use a field that requires the user
to answer a question like what is 5 +
3. Any human can answer it but a bot won't know what to do since it is
auto-populating fields based on field
names. So that field will be either
incorrect or missing in which case the
submission will be rejected.
Use a token and put it into a
session and also add it to the form.
If the token is not submitted with the
form or doesn't match then it is
automated and can be ignored.
Look for repeated submissions from
the same IP address. If your form
shouldn't get too many requests but
suddenly is it probably is being hit
by a bot and you should consider
temporarily blocking the IP address.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.