Puckdropper
I wonder if banning form/query strings that don't return
Sat Apr 03, 2021 2:27am
73.51.27.215

anything you want (like A=whatever) would be a good start. I remember seeing a technique published years ago where a form element was hidden (and thus the user would never see it) and its presence or absence was looked for when the form submitted. That only worked so long, though, as bots learned to fill out forms.

Maybe that bored Turkish person really liked history (I don't remember exactly what the other board was) and also computer hacking?

    • Trying out generic WordPress, PHP vulnerabilities and HTML form/query string combinations. (Using A=whatever in the query string is a very common one for some reason.) I did end up using regular reCaptcha 2 on the create account, forgot password and subscription pages though. I originally didn... more
      • I wonder if banning form/query strings that don't return- Puckdropper, Sat Apr 03 2021 2:27am
        • With the message board I'm using SpringMVC which... - Erik_, Tue Apr 06 2021 2:42pm
          I have to specify which query params I want to accept (if any) in the method's parameters. So, if a user enters "?howdy=yall" and I'm not set up to look for a query param named "howdy", it gets completely ignored which is nice. Example for the RSS controller's mapping to get the RSS feed of a m... more
  • Click here to receive daily updates
    "Forces act when not restrained" - Puckdropper