What is Form Hijacking?

Form Hijacking is the exploitation of vulnerable web forms to send unauthorized email. It is used predominately to send spam emails and uses the server on which the form is hosted to deliver the spam emails. This effectively makes the domain and server that processes the form the spam source allowing the real spam originator to remain anonymous. This can have serious consequences for the hijacked domain including blacklisting of the domain.

Why are Forms Hijacked?

How is a Form Hijacked?

When you submit a form the form input is processed by a script which processes the form data. This processing often involves sending the form input data to an email address. The location of the script that processes the form is included as the action value of the form tag within the form. For example <form action="http://www.mydomain.com/process.php" method="post">. In this example the form processing script would be http://www.mydomain.com/process.php.

Automated robot scripts crawl the internet looking for web forms, following web page links from site to site. When they identify a web form they test the form processing script to see if it is vulnerable to hijacking. The hijacking robot script attempts to send the form processing script a character combination that will corrupt the headers of the form delivery email, this is known as email injection. These headers are basically the email delivery instructions. They can include To: From: Subject: BCC: and a range of other information applied in delivering the email. If the headers can be corrupted it is possible to set these values and the body of the email. This enables a hijacker to send an email with any subject, with any message, including any attachment, to any email address (usually as a BCC) and it is sent by the hijacked server.

This test probing often results in a form delivery email where most of the form field data is set as a random email address for the domain hosting the form ie xhkjh@mydomain.com. Generally multiple tests will be undertaken on a processing script with each test looking for a vulnerability in a different form field. The form field being tested will include not only the random email address but this will be followed by a line break and then the injected email headers. The injected email headers may include a monitoring email address usually as a BCC (Blind Carbon Copy). This an email address monitored by the form hijacker. If the form is vulnerable to hijacking an email will be sent to this address and the hijacker now knows that this form processing script can be compromised and can send spam emails via the hijacked form.

If you view the source of an email you will be able see the full headers. The headers of a hijack test email may include headers that have been injected via a form field similar to:

Content-Type: multipart/mixed; boundary="===============1992989315==\"
MIME-Version: 1.0
Subject: 4e6f1449
To: pcftt@mydomain.com
Bcc: test@hijacker.com
From: pcftt@mydomain.com

This is a multi-part message in MIME format.

Content-Type: text/plain; charset=ISO-8859-1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Body message in hijacked form

How I do prevent Form Hijacking?

Use Human Intelligence Identification (hii). Human Intelligence Identification prevents form submissions by automated robots. Human Intelligence Identification only allows form processing if a correct answer to a set question is provided when the form is submitted. The question can be in any format or structure. A script robot cannot interpret the meaning of a text question nor does it have the capacity to provide a correct answer.

Add block spam code to your form processing script to block form submissions that include blocked words or IP Addresses effectively stopping all form spam including automated scripts and user submitted.

Consider the form processing script used for your forms. Most commercially available scripts minimize form hijacking vulnerability, include a range of functional options that can be applied to further increase form security, and undergo continual development to enhance their functionality and security.

If you run a form processing script on your server make sure it minimizes form hijacking vulnerabilities. form1 includes a range of form hijacking pretentative measures.

Additional form processing, spam blocking options and information...

I am very impressed with the functionality of your Business Valuation Model, the lay out and the user friendliness. Your purchasing and registration procedure is also excellent.Robert de Rooy ... thank you for a brilliant and easy to use tax system, you have literally saved me hours and hours of work with simple clicks and drag from my accounting software to BAS-I.C my bas is done.Lisa Groundwater Thank you for this great software!Cedric Franklin This is the best model I have seen in a few decades.Darren Stevenson ...a resounding '1' for excellence. I am pleased with the performance of the software, the ease of use and the overall service. I am glad that I went ahead and ordered it. I plan to make heavy use of it during the rest of my MBA program and in my work life. No doubt I will be purchasing other programs from you. You have what I need.Judy Bottita the software has really simplified my tax and therefore my life! Thanks so much!Gail Tagarro Thanks very much for putting the BAS-I-C software 'out there' - so far it seems terrific and perfect for what I need.Chris Hargreaves I just down loaded the excel version...awesome....thanks so muchEdward M. Rouse great model for small biz and start up!Russell Smith I have my own accounting firm and I must admit that I am very impressed ... IT IS OUTSTANDING.Robert B. Wester, Jr Excellent software program. I have already referred several folks to your site to download the demo. Hopefully, they will turn into sales for you. Good Luck!Anthony Beebe Wow...you're good. Thanks for your help...and the rapid response was greatly appreciated. I think you have a great product; I've been doing 'if/then' scenarios on future options for my company, and it is quite fascinating using your program...You guys were great...exactly what I was looking for...I was very impressed with your customer service...great follow-up and execution. The software is easy to use, as was your web site. Thanks for your software; if I need any business software, I would be happy to look at you guys first. Keep up the good work.Kevin O'Keefe Thanks your program it was great for me starting out in my small business, definitely recommend it for startups.Jayne Bachelor I was greatly impressed...Michelle Lamont Great Software...Art Vedner I'm just starting to use this system for BAS reporting and am enjoying the simplicity and ease of use....I give you guys 5 stars.Jodie Maurer I am very impressed with the model.Jozua Fokker I think you have an excellent product and I look forward to trying some more of your software. I am very pleased!Rod Butler ...the system works great.Lyslei Chirico ...works perfectly.Hendry Buter You have excellent products that have saved me several hours of time. Ease of purchase is excellent. Keep up the good work and keep coming up with improved business models. You are absolutely on the right track.Denis Cowley Now to begin my third year with your excellent system ... How lucky I am to have bought your software. Thank youZoe Harrison Now that I have purchased the program, I honestly believe the price is ridiculously low for the power, utility and results generated by the program.Martin Caplan Just started playing with your software and I like it!Roger Loweth I just purchased your software - it's wonderful.Roger Varner I have been very happy with software purchase and was going to purchase another app... Thanks again for the great software!Frank Brown The Business Valuation software that runs in Excel saved my company a lot of time in evaluating an acquisition candidate. The instructions are clear and straightforward, and the program worked flawlessly.Tom Sweet I have loved your BAS Business Accounts Software and think it's ideal for sole traders (which was the reason I purchased it).Nicole Cornish Great piece of software. It has been a real winner in presentations here already. I have more to explore with it, too.Chad Haight ...I am in the midst (or shall we say was in the midst) of selling my company for a much lower amount...your software is working wonderfully...i think i shall send you a bottle of your favorite...Sean Hawley Love this application! It certainly can improve one's comfort level, especially the small business owner, when talking to the financial people. Seems to me like you can get a quick budget snapshot as well as the business valuation. Thanks again!Stan Shaw I am impressed with your business valuation model.Peter Davies Am really enjoying working with this programme, I am sure within the next week I will be putting an order in. I have found it so easy to use, wish I had known about it years ago, life would have been much easier.Lyn Laycock This spreadsheet has really made my life easy and I have recommended it to my colleagues.Moses Mwanjirah We are very pleased with your Business Valuation Model.Steve Geringer ...very easy to use.Karl Hayes Just purchased your great spreadsheet.Terje Larsen I think it is a very useful spreadsheet and I'm using it and I haven't found anything better and have stopped looking.Antoine Matarasso I am very happy with the Excel valuation model supplied. I think it constitutes good value for money and has been of great help to me in my work.Graham Ireson Well done. It proved very useful for me already.Roland Mechler The program is quite easy to use.Jackquie Grant I still love the software.Jim Dickey Received and working great... Excellent service.Kevin Long ...very user friendly...Abel Acuna I recently purchased a copy of this package and have found it to be extremely helpful as a quick valuation tool...This is a great piece of software...Jim Wendler