Yet another reason to secure webforms

Website and database security has been in the news quite a bit lately. Take for instance Equifax's recent breach of over 140 million accounts or the popular Playstation and Xbox forums. All of these incident's are big and scary but, fortunately, are actually rare. Most incidents are smaller - at least in scale if not impact. The vast majority of "hacking" happens on smaller websites whose owners and authors probably don't think will get attacked because they don't have anything worth stealing. While that is certainly true for a lot of sites, the truth is that stealing information is not always the goal when someone is trying to compromise your site. Long before attackers try to take on a large site, they practice and hone their skills on smaller, easier targets. Sometimes these are kids - literally - just trying things out and seeing what they can accomplish. Sometimes it's a self-proclaimed "hacktivist" that has gotten it in their heads that your company or business is offensive to them so they take it upon themselves to bring "justice" to it. And sometimes it's just people trying to watch a soccer game.

I've recently heard of what seemed like a strange sort of attack. The attackers - for lack of a better word - were flooding unsecured forms on websites that allowed them to upload files such as PDF documents. This seemed strange to me since a PDF can't execute code, and the databases that these files were stored in didn't have access to any information anyway. So why would someone bother to write a program that would submit hundreds of PDF files to a website? Turns out the answer was in the content of those files. All of them contained either links to or embedded videos of ... soccer games! Yes soccer games. These guys ( and granted that's a huge generalization, but let's admit it, most sports fans are male ) spent a lot of time and effort to upload links to soccer games - mostly from the middle east - to a file server. "What's the story with that?" I asked myself, and then I realized the answer. You see, we are spoiled ( to an extent ) here in the U.S., we rarely have to deal with region locking - that is making digital content - be it DVDs, video games or soccer games - unavailable to a certain part of the world. Most of our digital content is produced and available for consumption right here. Rarely do people seek content from other countries or regions. There is a portion of the population that still wants to get news and information from the countries they were born in or their family lives in. Or their favorite soccer team plays in. What was happening was that by uploading the files to an U.S. server, people in the U.S. could access content they wouldn't normally have access to. A bit of a clever workaround to the region locking problem.

While this sounds almost benign, it does have some bad repercussions if not addressed. The first of which is space on the server. PDF files are not small, even if they were compressed, which these weren't. They will fill up the space on a server rather quickly, and when that happens your site will encounter a whole range of issues, from errors trying to upload new content to slowing the site down to a crawl. It also opens your site up to a copyright infringement claim. The company whose content got uploaded to your website can file a claim that you are hosting copyrighted content without permission. These claims can carry large fines and penalties and it is even possible that your IP will shut down your site. Something not to be taken lightly.

The fix for this couldn't be easier. All that's needed is to add a captcha to the webform. For Drupal sites there are the handy captcha and reCaptcha modules. For WordPress theres also a plugin . Even if you're not using a content management system, you can get a captcha widget directly from Google. If you want or need extra security - and who doesn't - you should also make it so the submitter must have an account, and require approval from an administrator for that account. With all of these options, there isn't a reason to not secure your webforms.