Forum OpenACS Q&A: Response to Bugtraq: cross site scripting

Posted by Tom Jackson on

Assuming that javascript is used to popup a form submission, it could also popup and read the form itself. That implies that any hidden form var used to validate the form would also be available to the javascript program.

One way around this, used on Altavista and other sites now is to require the user to decode a gif image of some badly distorted letters and numbers. Machines can't do that yet, so requesting the initial form will not help the hacker. Maybe an easier method, would be to require gif images of every user, or for every user to supply an image. You have to click on the correct image, matched with a random string, so the form can only be used once. The image could be randomly distorted with each view so you could not easily track the image.

Hmm, how about this: a big gif form button where some spot is marked, and the computer knows the coordinates, since a form submission will give the clicked coordinates, it might be possible to have a click inside some shape to qualify as a correct response. This could also be combined with a unique random variable that allows the form to only be used once.