Testing the Security of Your Website – Part 2
Contact Forms (Cont’d)
Contents
The biggest problem with contact forms is that it is very common for them to have security flaws that allow spammers to send out spam using your website. This is a very serious problem.
The exact security flaw that your website might have will depend on its particular code, but the general idea is as follows.
Analyzing the HTML code, the hacker can get the variables that must be passed to the script available on your website that handles the data sent by the form and which sends the actual email. (The script is the one listed in the “form” tag.)
With this information, the hacker can now try to access the script directly, manipulating the variables. If the script allows the user to configure the destination email address, the hacker can now pass any address he wants to the script, hence allowing him to send spam to anyone.
Let’s say we analyze the HTML code of a form and discover that the name of the script that handles the form is script.php and that the form has fields called from, to, subject, and text. Now, it is very easy for the hacker to access https://www.yoursite.com/script.php?from=fromemail@fromdomain.com&toemail@todomain.com&subject=CHEAP%20VIAGRA&text=cheap%20Viagra%20at%20my%20website and send an email to “toemail@todomain.com” with the subject “CHEAP VIAGRA” and the text “cheap Viagra at my website.”
We must emphasize that if the contact form script of your website has a security flaw such as this, the hacker will be able to transform your website into a spam server.
As you can see, contact forms that have email addresses on their HTML code (see Figure 2) are the ones easier to exploit, since they have a variable to configure the destination email. However, even if there is no email address on the HTML code, the script may have a hidden variable through which a hacker can configure the destination email. For instance, a hacker will most definitely access the script directly trying variables such as “to” and “email.” If the script allows the external configuration of the destination email address, you are toasted: it is just a matter of time for hackers to discover the name of the variable. This is, of course, a major security flaw.
In summary, the script that handles the contact form must not accept the external configuration of the destination email address.