"I also discovered that the tool prevents JavaScrips from running along with the page and simulates Internet Explorer 6 version."
There are even software that are not browsers that send / receive data via HTTP (S), such as CURL. Not far away there is the LYNX Browser, which is simply in text, a browser in CMD . Also even Chrome and "real" browsers are able to turn off javascript in their settings.
What would be the idea, block access via the iframe.
There is the header / header of X-Frame-Options ( RFC 7034 ), since 2013, it aims to prevent a website from opening in <iframe> or <frame> , so use:
NGINX:
add_header X-Frame-Options "DENY" always;
But if the browser is obsolete? If the browser does not interpret X-Frame-Options this will be ignored.
Prevent the page from running in outdated versions of such browsers.
This is useless, a malicious person can quickly forge a User-Agent, CURL, which is not a browser, can pass through a quick and easy browser.
Any Burp Suite allows you to change the headers, any CURL allows you to set the headers, ie:
curl -H "User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" https://seu-site.com
Make your website understand that you are accessing via Chrome in version 41, even CURL has a -A function especially to change User-Agent , without having to use -H , legal not ?!
One thing you can do to break old browsers and prevent old browsers from being used is to use TLS 1.2. Just to make it clear TLS 1.2 was not meant for this but only recent browsers and recent operating systems are supported to it , meaning it is a "natural" deletion.
Placing field "CPF" with verification (Validation) which in case is already inactive.
It is faster to generate a CPF than to generate an MD5, for example this generates a valid CPF:
$CPF = '';
$D10 = $D11 = 0;
// Gera 9 números individuais pseudo-aleatorios criptograficamente seguros
for($i = 0; $i < 9; ++$i)
$CPF .= random_int(0, 9);
// Calculo do 10º número
for($i = 0; $i < 9; ++$i)
$D10 += $CPF[$i] * (10 - $i);
// Acrescenta o 10º número ao CPF (Se for maior que dez é 0, se não é ele mesmo!)
$CPF .= 11 - ($D10 % 11) >= 10 ? 0 : 11 - ($D10 % 11);
// Calculo do 11º número
for($i = 0; $i < 10; ++$i)
$D11 += $CPF[$i] * (11 - $i);
// Acrescenta o 11º número ao CPF (Se for maior que dez é 0, se não é ele mesmo!)
$CPF .= 11 - ($D11 % 11) >= 10 ? 0 : 11 - ($D11 % 11);
echo $CPF;
You can generate thousands of CPF at no cost, , a malicious person will continue to use and make several and multiple requisitions normally. The only way would be if you checked if the CPF matches the name and other data, even then much data can be obtained by looking at Google itself.
Note this function has been created based on this publication .
You create CPF restriction and require multiple data to exclude legitimate users. Just like blocking old browsers, it only tends to reduce the number of legitimate visits, with no great benefit. Of course if you use TLS 1.2, and consequently prevent old browsers , your site will be safer than SSLv2 and SSLv3, blocking will not bring any benefit / p>
In addition, anyone who really wants to manipulate will be able to use CURL or whatever, forging a User-Agent, which in fact if they use it, they already falsify (and you can not even figure it out).
Efficient solutions:
Using X-Frame-Options for modern browsers does not allow iframe, if limiting by TLS 1.2 it will necessarily support this header .
Set a Content-Security-Policy to also prevent <iframe> and also XSS.
Create a Rate-Limit if a single IP sends many requests and blocks it by preventing new submissions, if this is the case .
Creating fake forms, not visible to humans , as suggested by @Bacco, can be efficient.
