How can I prevent systems from incorporating my site?

3

I soon discovered that people are accessing my site with a Site Marketing application.

It comes from different "people", with different data but with the same characteristics.

It starts with a text and at the end some links.

I also discovered that the tool prevents JavaScrips from running along with the page and simulates Internet Explorer 6 version.

  • What would be the idea, block access via iframe. Prevent the page ran in outdated versions of such browsers.

  • Prevent the page from running in outdated versions of such browsers.

  • Placing field "CPF" with verification (Validation) which in case is already inactive.

  • asked by anonymous 30.03.2017 / 16:01

    3 answers

    -2

    People just reopening the question that I asked myself, I went a little further, I put some ideas here from the post, and I did the following.

    In the form itself I put a hidden field with a very similar name that it has in the tool, the field was of type text and not hidden and was hidden with css. / p>

    With this I resolved in 100% the spans that was received in all the emails that were fired from the form. No e-mail with links, or similar content was received!

    SOLVED CASE.

        
    21.02.2018 / 21:36
    4
      

    "I also discovered that the tool prevents JavaScrips from running along with the page and simulates Internet Explorer 6 version."

    There are even software that are not browsers that send / receive data via HTTP (S), such as CURL. Not far away there is the LYNX Browser, which is simply in text, a browser in CMD . Also even Chrome and "real" browsers are able to turn off javascript in their settings.

    What would be the idea, block access via the iframe.

    There is the header / header of X-Frame-Options ( RFC 7034 ), since 2013, it aims to prevent a website from opening in <iframe> or <frame> , so use:

    NGINX:

      add_header X-Frame-Options "DENY" always;
    

    But if the browser is obsolete? If the browser does not interpret X-Frame-Options this will be ignored.

    Prevent the page from running in outdated versions of such browsers.

    This is useless, a malicious person can quickly forge a User-Agent, CURL, which is not a browser, can pass through a quick and easy browser.

    Any Burp Suite allows you to change the headers, any CURL allows you to set the headers, ie:

    curl -H "User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" https://seu-site.com
    

    Make your website understand that you are accessing via Chrome in version 41, even CURL has a -A function especially to change User-Agent , without having to use -H , legal not ?!

    One thing you can do to break old browsers and prevent old browsers from being used is to use TLS 1.2. Just to make it clear TLS 1.2 was not meant for this but only recent browsers and recent operating systems are supported to it , meaning it is a "natural" deletion.

    Placing field "CPF" with verification (Validation) which in case is already inactive.

    It is faster to generate a CPF than to generate an MD5, for example this generates a valid CPF:

    $CPF = '';
    $D10 = $D11 = 0;
    
    // Gera 9 números individuais pseudo-aleatorios criptograficamente seguros
    for($i = 0; $i < 9; ++$i)
        $CPF .= random_int(0, 9);
    
    // Calculo do 10º número
    for($i = 0; $i < 9; ++$i)
        $D10 += $CPF[$i] * (10 - $i);
    
    // Acrescenta o 10º número ao CPF (Se for maior que dez é 0, se não é ele mesmo!)
    $CPF .= 11 - ($D10 % 11) >= 10 ? 0 : 11 - ($D10 % 11);
    
    // Calculo do 11º número
    for($i = 0; $i < 10; ++$i)
        $D11 += $CPF[$i] * (11 - $i);
    
    // Acrescenta o 11º número ao CPF (Se for maior que dez é 0, se não é ele mesmo!)
    $CPF .= 11 - ($D11 % 11) >= 10 ? 0 : 11 - ($D11 % 11);
    
    echo $CPF;
    

    You can generate thousands of CPF at no cost, , a malicious person will continue to use and make several and multiple requisitions normally. The only way would be if you checked if the CPF matches the name and other data, even then much data can be obtained by looking at Google itself.

      

    Note this function has been created based on this publication .

    You create CPF restriction and require multiple data to exclude legitimate users. Just like blocking old browsers, it only tends to reduce the number of legitimate visits, with no great benefit. Of course if you use TLS 1.2, and consequently prevent old browsers , your site will be safer than SSLv2 and SSLv3, blocking will not bring any benefit / p>

    In addition, anyone who really wants to manipulate will be able to use CURL or whatever, forging a User-Agent, which in fact if they use it, they already falsify (and you can not even figure it out).

    Efficient solutions:

  • Using X-Frame-Options for modern browsers does not allow iframe, if limiting by TLS 1.2 it will necessarily support this header .

  • Set a Content-Security-Policy to also prevent <iframe> and also XSS.

  • Create a Rate-Limit if a single IP sends many requests and blocks it by preventing new submissions, if this is the case .

  • Creating fake forms, not visible to humans , as suggested by @Bacco, can be efficient.

  • 31.03.2017 / 00:11
    0

    I think your problem is entirely related to some BOT attack, ie your problem is not to include your site elsewhere, but rather one or more BOTs that try to break the security of your site, or even try to cause some kind of mass attack to take down.

    So the question here is not a cross-site scripting problem, but a direct attack.

    Your solution to create a hidden field, I really do not understand, but if that's what I imagine, any BOT can easily detect this and go over it soon.

    Existing solutions to solve this type of problem today are:

    21.02.2018 / 23:24