Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to prevent people from keep looping HTTP POST to a function?

Tags:

c#

.net

asp.net-mvc

I am trying to develop a website, the website got a pop-up modal which allows the user to subscribe to our latest promotion. In that input, we got a textbox to allow users to key in their email.

However, when we look at the HTML code, the HTTP POST URL is visible:

enter image description here

If someone is trying to use this URL, and spam HTTP POST requests (see below), unlimited entries can be created in the subscriber database table.

for (int a = 0; a < 999999; a++)
{
    var values = new Dictionary<string, string>
    {
        { "email", a+"@gmail.com" }
    };

    var content = new FormUrlEncodedContent(values);
    var response = await client.PostAsync("http://www.example.com/recepticle.aspx", content);
    var responseString = await response.Content.ReadAsStringAsync();
}

How can I prevent this from happening? We cannot put a capcha, since this is subscriber to our promotion.

Edit: Please note that a ANTI-forgery token will not work, because the hacker can download entire HTML string using GET, and get the value from the anti forgery token textbox and POST the value to the POST URL again, so it will not work and the same anti-forgery token can use multiple times, it is not secure.

like image 975
ryan1555 Avatar asked Apr 29 '18 09:04

ryan1555

2 Answers

You can choose one of the below option to implement what you are looking for.

1- Implement CAPTCHA/re-CAPTCHA, it will make sure that using any tool request can't be made. I understand that you don't want to use CAPTCHA, I still feel you should go with it, as it is the best approach to handle this type of scenarios.

2- IP Based restriction, lock submitting the request from one IP for some time.

3- Other option can be OTP (one time password), you can send the OTP to the email, and only after successful verification you can register the email.

like image 108
PSK Avatar answered Nov 15 '22 01:11

PSK

Use AntiForgeryToken. Read more about Antiforgery Tokens here

  1. In your form Razor View, Add an @Html.AntiForgeryToken() as a form field.

    @using (Html.BeginForm())
{
    @Html.AntiForgeryToken()

    <div class="form-horizontal">
        @*Rest of the form*@
}

  2. In your Action Method use ValidateAntiForgeryTokenAttribute

    [HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit( MyViewModel form)
{
    if (ModelState.IsValid)
    {
       // Rest of ur code
    }
 }
like image 22
GuruCharan94 Avatar answered Nov 15 '22 01:11

GuruCharan94
Sign in to Comment

Related questions

Set timeout on Azure Storage operations
Reuse anonymous variable within select statement [duplicate]
.NET Core 2 EF, object references are null
Proxy Configuration for C# GraphSdk
Looking for specific regex
Create zip file in memory from bytes (text with arbitrary encoding)
Passing string[] from batch file (which contains double quotes ") to powershell script
Is there a way to indicate that a method will never return? [duplicate]
C# percent calculation with decimal type causes problems
MemoryCache AbsoluteExpiration
RandomNumberGenerator vs Aes generate key. Which should I use to get myself a key when using AES encryption (C#)
How do I set a default home page in ASP.NET Core 2?
add-migration can not read the connection string from the file appsettings.json because of the path to appsettings.json
Auto inject javascript in blazor application
Math.Ceiling giving "Call is ambiguous" error when using String.Length
ConfigureAwait(false) not making HttpContext NULL as expected
How to customize design in PagedList.MVC?
Cannot redirect to the end session endpoint, the configuration may be missing or invalid OpenIdConnect SignOutAsync
C# Lambda Builder Pattern
BindingFlags - get all of them (maximum members)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!