What is Form Hijacking?
Form Hijacking is the exploitation of vulnerable web forms to send unauthorized email. It is used predominately to send spam emails and uses the server on which the form is hosted to deliver the spam emails. This effectively makes the domain and server that processes the form the spam source allowing the real spam originator to remain anonymous. This can have serious consequences for the hijacked domain including blacklisting of the domain.
Why are Forms Hijacked?
- Originators of spam email do not want to be identified. By having spam sent from an unrelated server the spammers identity is hidden, the email is delivered by the hijacked server.
- Using someone else's server to send spam emails costs nothing because the owner of the hijacked server is paying for the transmission bandwidth used.
- The spammer domain remains anonymous and will not be blacklisted or blocked. The spam comes from the hijacked domain / server.
- If a hijacked domain / server becomes blocked the spammer can simply continue spam delivery by hijacking a different domain / server.
How is a Form Hijacked?
When you submit a form the form input is processed by a script which processes the form data. This processing often involves sending the form input data to an email address. The location of the script that processes the form is included as the action value of the form tag within the form. For example <form action="http://www.mydomain.com/process.php" method="post">. In this example the form processing script would be http://www.mydomain.com/process.php.
Automated robot scripts crawl the internet looking for web forms, following web page links from site to site. When they identify a web form they test the form processing script to see if it is vulnerable to hijacking. The hijacking robot script attempts to send the form processing script a character combination that will corrupt the headers of the form delivery email, this is known as email injection. These headers are basically the email delivery instructions. They can include To: From: Subject: BCC: and a range of other information applied in delivering the email. If the headers can be corrupted it is possible to set these values and the body of the email. This enables a hijacker to send an email with any subject, with any message, including any attachment, to any email address (usually as a BCC) and it is sent by the hijacked server.
This test probing often results in a form delivery email where most of the form field data is set as a random email address for the domain hosting the form ie firstname.lastname@example.org. Generally multiple tests will be undertaken on a processing script with each test looking for a vulnerability in a different form field. The form field being tested will include not only the random email address but this will be followed by a line break and then the injected email headers. The injected email headers may include a monitoring email address usually as a BCC (Blind Carbon Copy). This an email address monitored by the form hijacker. If the form is vulnerable to hijacking an email will be sent to this address and the hijacker now knows that this form processing script can be compromised and can send spam emails via the hijacked form.
If you view the source of an email you will be able see the full headers. The headers of a hijack test email may include headers that have been injected via a form field similar to:
Content-Type: multipart/mixed; boundary="===============1992989315==\"
This is a multi-part message in MIME format.
Content-Type: text/plain; charset=ISO-8859-1
Body message in hijacked form
How I do prevent Form Hijacking?
Use Human Intelligence Identification (hii). Human Intelligence Identification prevents form submissions by automated robots. Human Intelligence Identification only allows form processing if a correct answer to a set question is provided when the form is submitted. The question can be in any format or structure. A script robot cannot interpret the meaning of a text question nor does it have the capacity to provide a correct answer.
Add block spam code to your form processing script to block form submissions that include blocked words or IP Addresses effectively stopping all form spam including automated scripts and user submitted.
Consider the form processing script used for your forms. Most commercially available scripts minimize form hijacking vulnerability, include a range of functional options that can be applied to further increase form security, and undergo continual development to enhance their functionality and security.
If you run a form processing script on your server make sure it minimizes form hijacking vulnerabilities. form1 includes a range of form hijacking pretentative measures.
Additional form processing, spam blocking options and information...