Form Bot Countermeasure Testing

Question

I am a web developer for a web site that is occassionally plagued by form bots. Recently I received an error notification of a problem with the form submission that should be impossible for a human user. You cannot submit the form without JavaScript enabled but the server side script received a form field value that the JavaScript validation will not allow.

I suspect that a form bot managed to submit the form without running the JavaScript but I'm not entirely sure this is the problem because a real user had a similar problem. I know how to use honeypot fields as a countermeasure for form bots but I need to test my countermeasures. Therefore I need a working form bot to attack my form so I can see what the result would be and to verfiy that my countermeasures will work.

I think you can use PHP with Curl to submit web forms but I can't find any sample code. I would prefer to use an actual form bot so I can be sure that the honeypot fields aren't easily circumvented.

Does anyone know what is currently being used to attack web forms? How do you test your countermeasures to ensure they are effective?

Answer 1

Personally, I use a FireFox extension called Tamper Data. You submit the form normally, but then you can modify the HTTP parameters (Variables, cookies, etc) before it's sent to the server. That way, you can manually change the validated fields. You could automate it with PHP and CURL...

The thing is, you don't want to run an actual bot against it, because that would only test one (maybe two) methods of breaking your validation. You want to run your own, that way you can test every possible combination that you can think of. If you automate it with PHP/CURL, you could then run the test with every change (an integration test) to verify that you didn't "break" anything... It shouldn't be too hard to write, since the CURL functions are pretty well documented...