Wandering Thoughts archives


Stupid web spammer tricks

I'd call these stupid spider tricks, except that these were so visibly committed by web spammers. (In one case they left me their spam, clearly visible.)

  • you cannot take a POST form's form elements, turn them into query parameters, and then try to GET the result.
  • especially if you remove the existing query parameter on the URL of the form's target.
  • you get modest bonus points if you POST your query parameter laden URL instead of GET'ing it. Not enough bonus points to make it work, though.

I have to admire the determined necessary to carefully program your software to do stuff like this. Or, alternately, the gleeful blindness required to ignore the fact that there are two ways of submitting form data, and just implementing the easier one and using it for everything. (In this view, the POST to GET person is at least being consistent; his software may not implement POST at all.)

The existence of these things depress me, because the fact that the web comment spammers do them suggests that they actually work against some blog software. And that's just sad, but then a lot of web software (starting with Apache) is very sloppy about this stuff.

(Accepting POST requests in GET form is especially bad because it opens you up to lovely cross-site attacks if I can so much as persuade you to click on a link. If you think this is obscure, consider how it could be combined with cross-site authentication like OpenID to let it be targeted. Add JavaScript, and I probably don't even need to get you to explicitly click something.)

web/StupidSpammerTricks written at 21:44:08; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.