Website security

I have a asp web site, and a register form, a process.asp to insert the
registration row.
If someone, create a form in his localhost webserver,
and the form action is my process.asp, how can I prevent that request ?

Thank you

Jay

"Jay" <> writes:

> I have a asp web site, and a register form, a process.asp to insert the
> registration row.
> If someone, create a form in his localhost webserver,
> and the form action is my process.asp, how can I prevent that
> request ?

The usual--validate the hell every stinking variable that form takes
in, and do so ON THE SERVER. Not in javascript. To do this, you have
to come up with your definition of what a valid request is, and what
valid input for each of your fields is.

If the person cares enough to send all valid data and spoofs
http_referrer to match and all that, there isn't much reason to worry
since the form they've recreated is sufficiently identical to your own
form.

If you're doing server side validation sufficiently, you won't any
longer care if it's your copy of the form the POST came from or
someone's local copy. Even on your copy of the form, an attacker with
a software web proxy or firefox plugin can add form fields, override
field lengths, get around javascript, etc so even if you had a magical
bullet to determine "someone copied my form" you'd still not cut down
your space of worry.

Best REgards,
--
Todd H.
http://www.toddh.net/

Todd H.