[VPM] link 'bot' protection
Matt Elrod
matt at elrod.ca
Mon Feb 23 17:24:36 PST 2009
I sometimes obscure the "action" in my forms with javascript.
Obviously you can look at the referrer, but it too can be
easily forged.
You can have your form send a token to your cgi. I sometimes have
the form insert a unix timestamp in a hidden field and then reject
post data if it comes in too fast or too slow. That is, each
generation of the form is only good for X minutes.
Granted, this technique could be reverse engineered, and the
parasite might insert a valid timestamp in their post data,
but I expect it thwarts most unwelcome accesses.
HTH,
Matt
Jer A wrote:
>
> Thank you for your response.
>
> what can i also do to prevent cross site scripting....eg, if some one
> finds the html code that references to the form cgi script.....and calls
> it from their own site for example....is there anything in perl that
> would allow client computers access (eg. surfers), but block other
> domains (websites)?
>
>
> > Date: Mon, 23 Feb 2009 16:31:55 -0800
> > From: semaphore_2000 at yahoo.com
> > Subject: Re: [VPM] link 'bot' protection
> > To: jeremygwa at hotmail.com
> >
> >
> > I think ultimately, that's fighting a rear-guard type of action.
> There are ways of blocking clients that grab too much too fast (many
> bots grab lots of pages in a short time so can be detected like that).
> There are other tricks like that too. But if the scraper or bot is
> written correctly, and is polite, taking pages slowly, ignores
> robots.txt and uses a user-agent string that looks like an existing
> browser, then you'd have a hard time telling. Maybe use javascript to
> present the info so that scrapers that don't use javascript can't see it.
> >
> > Anyway, I write web scrapers (er, in perl - nice, well-behaved bots
> that do not suck a server's resources) and if you'd like I can help you
> test. You might try yourself by playing with the CPAN mech-shell perhaps...
> >
> > Doug
> >
> >
> > --- On Mon, 2/23/09, Jer A <jeremygwa at hotmail.com> wrote:
> >
> > > From: Jer A <jeremygwa at hotmail.com>
> > > Subject: [VPM] link 'bot' protection
> > > To: victoria-pm at pm.org
> > > Date: Monday, February 23, 2009, 6:16 PM
> > > hi all,
> > >
> > > I am designing a website service.
> > >
> > > how do i prevent automated bots and link scrapers and
> > > cross-site scripts from access to the site, without
> > > hindering the user experience, as well as hindering the
> > > performance of the host/server/site?
> > >
> > > My site is not graphic intensive, and I do not think anyone
> > > would be interest at grabbing anything that is graphical,
> > > only Information/Data.
> > >
> > > I have thought of banning ip's by parsing log files,
> > > but what should I look for that is 'fishy'?
> > >
> > > Thanks in advance for all advice/help.
> > >
> > > Regards,
> > > Jeremy
> > >
> > >
> > > _________________________________________________________________
> > > Windows Live Messenger. Multitasking at its finest.
> > >
> http://www.microsoft.com/windows/windowslive/products/messenger.aspx_______________________________________________
> > > Victoria-pm mailing list
> > > Victoria-pm at pm.org
> > > http://mail.pm.org/mailman/listinfo/victoria-pm
> >
> >
> >
>
> ------------------------------------------------------------------------
> So many new options, so little time. Windows Live Messenger.
> <http://www.microsoft.com/windows/windowslive/products/messenger.aspx>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Victoria-pm mailing list
> Victoria-pm at pm.org
> http://mail.pm.org/mailman/listinfo/victoria-pm
More information about the Victoria-pm
mailing list