Jump to content

Protect Frontend Form (InputfieldForm) from bots and script kids attacks


cwsoft
 Share

Recommended Posts

Hello,

quite new to PW. I have a project, which uses a frontend form build with basic fields (InputFieldForm) and no user registration or frontend login. What are the best or proposed strategies to secure the form from spam bots and malicious script kids using PW basic fields? Actual form has just build in CSRF protection, but no other stuff like honeypot fields or tracking of failed submits via Session tracking of IP etc. Form will be used by about 100-150 people, but once the stuff goes live, anybody knowing the Url can try to break things.

My consideration so far. 
1. Add honeypot fields (spam bots) and Captcha to make script attacks less likely
2. Track failed/double submits and ban IP for some increasing time
3. Switch to the free FrontendForms module by Jürgen listed in the PW repo
4. Hide the form behind a PW login page (means to add 1-100 Dummy users with same/individual credentials)

What would you propose? Are there links or code snippets showing how to implement those stuff?

Any thoughts, hints, tipps or links to resources highly appreciated.

Cheers zx80

Link to comment
Share on other sites

Hello @zx80,

I would go with a module for forms like the commercial FormBuilder or aformentioned FrontendForms. I have build forms in the past, but nowadays I use FormBuilder for every form, because forms can be complex to develop and maintain.

Both FormBuilder and FrontendForms have protection well covered:

For protection I am always using a honeypot and Google reCAPTCHA field with filtering by specific mail addresses or keywords, when I still get Spam.
FormBuilder has an extra module for a Google reCAPTCHA field.

Regards, Andreas

  • Like 1
Link to comment
Share on other sites

@AndZyk: Thanks for your input. Will try first with the free FrontendForms module as I am quite new to PW and do not have a lot to deal with web dev recently (more C#, Python stuff for Windows Desktop). Hence I don‘t want yet to spend the 179€ for the pro module unless I will know for sure using PW more often in the future.

cheers zx80

  • Like 2
Link to comment
Share on other sites

Hi,

just added a fifth option to keep Google and unwanted users out. I Just hid my entire PW booking side behind a .htaccess AuthBasic access. But will try the FrontendForm module too as it seems to already provide all the features I want to implement myself already out of the box 🙂

  • Like 1
Link to comment
Share on other sites

That is also a option. 😀

If you just want to exclude search engines, you could make your page hidden and exclude it in your robots.txt

But if you wan to protect your page, a .htaccess protection works as well. You could try the free LoginRegister module, if you want a better looking login form integrated with PW: https://github.com/ryancramerdesign/LoginRegister
There is also a commercial successor of this module: https://processwire.com/store/login-register-pro/

Regards, Andreas

  • Like 1
Link to comment
Share on other sites

23 hours ago, zx80 said:

but once the stuff goes live, anybody knowing the Url can try to break things

  • Like 1
Link to comment
Share on other sites

On 5/30/2023 at 12:36 PM, zx80 said:

but once the stuff goes live, anybody knowing the Url can try to break things

One more thing if you are building your own form: You can clean every data entered in the form by sanitizing every input. 😉
https://processwire.com/api/ref/sanitizer/

 

$fullname = $sanitizer->text($input->post->fullname); // Long
$fullname = $input->post->text("fullname"); // Short

https://processwire.com/blog/posts/processwire-2.6.14-brings-major-enhancements-to-sanitizer-and-input-api-variables/#sanitizer-and-input-are-now-a-couple

Link to comment
Share on other sites

Wild idea, but the little maths question system I wrote for this contact form is, as far as I know, GDPR complient and is used on a site that has no cookies or sessions on the front end interface. It therefore has no CSRF protection, yet has been 100% effective (several years so far) at preventing spam submissions. There are a few things I'd change if doing a v2, but overall, it's worked very well. Reload the page a few times to get a feel for how the question system works.

If you are not worried by being GDPR complient and are willing to use sessions, then writing something like this would be even easier as there are no extra anonymisation hoops to jump through. Just stash a target answer in the session and re-generate a maths question that leads to that answer on each page render.

  • Thanks 1
Link to comment
Share on other sites

@netcarverThanks, already implemented a simple SESSION based math spam protection myself and some honeypot fields. However my client is very paranoid about DSGVO etc. He even worried about the guest Cookie (wire) set by PW by default on startup, even I tried to explain it‘s a technical required cookie set by the underlying CMS, which gets deleted automatically when the browser is closed. 

Link to comment
Share on other sites

10 hours ago, AndZyk said:

You could try the free LoginRegister module, if you want a better looking login form integrated with PW: https://github.com/ryancramerdesign/LoginRegister

Cool. Will test this option too, once I showed the demo to my client and it was decided if and how to proceed with the project. You guys are all awesome and gave me a lot of tips, hints, links and code snippets to check out. 

@AndyThanks for your sanitizer snippets, already using those on all input data by default. Even do whitelisting whenever appropriate in addition. 

  • Like 1
Link to comment
Share on other sites

1 hour ago, zx80 said:

spam protection

I also have a 100% working spam protection technique I always use (and nothing more). See it working here: https://www.szepelet.com/about-us/contact-us/

Human Detection is a pure PHP random number, rendered by  :after {content: attr(data-attr);} and the css class is deliberately not named with a related term, just to make it more obscure. No bots have been smart enough to crack it so far.

Edited by szabesz
typos
  • Like 5
  • Thanks 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...