-1

A spam bot has found my sign-up form and is filling my database with spam submissions. The form is a basic asp.net registration that creates a new membership user and captures account information such as name, address, phone, etc. Rather than implement a captcha I plan to try a honeypot field. However, my question is not about prevention* but rather about security. What potential risk does form spam pose? I already parameterize all of my SQL to handle the obvious SQL injection stuff. What are the other risks? Is anyone aware of how one might use a bot to attack a site through the site's form(s)? When do spam submissions represent more than just spam?

**Here are some posts related to prevention for anyone who is interested:*

fighting spam bots

How to deal with botnets and automated submissions

When the bots attack!

Community
  • 1
  • 1
hughesdan
  • 3,019
  • 12
  • 57
  • 80
  • After reading your "question" (answer?), I couldn't figure out what you really want. – Pedro Lobito Aug 19 '11 at 08:47
  • I thought it was pretty clear. I was trying to understand whether I should approach the issue I described purely from the standpoint of spam-prevention or also from a security standpoint. The responses confirmed what I suspected...that the security risks are independent. I didn't want to assume that to be the case. – hughesdan Aug 19 '11 at 19:01
  • 4
    I'm voting to close this question as off-topic because this is not a specific programming problem as defined in the [help]. – hichris123 May 18 '15 at 21:07

3 Answers3

3

Any security risks you may have are completely independent of whether the form is being submitted in bulk.

The only new security risk relates to what happens if the bots fill up your disk.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
1

I guess one problem could be the kind of spam they post. If they post links to other websites which in turn try infect the visitor with malware it doesn't pose a direct threat to your site but to your visitors.

You should also make sure they can't insert scripts etc to prevent XSS.

XSS on wikipedia

b3n
  • 3,805
  • 5
  • 31
  • 46
1

From a security perspective, this is really a question about how secure your website is in general. Yes, a spambot could exploit vulnerabilities but then so could any user, be they human or robot.

You mentioned parametrisation of SQL which is a good start, try these as well:

  1. Are you validating all input against a whitelist of trusted values?
  2. Are you applying the principle of least privilege and not allowing the SQL account public users connect with to do more than it needs? (more on that here)
  3. Are you output encoding every piece of data when it's presented back via the UI?

If you're doing all this then you're in good shape security wise. Dealing with the inconvenience created by bots is another issue altogether.

Troy Hunt
  • 20,345
  • 13
  • 96
  • 151