I’ve discovered today that I need to write what amounts to malware to test a security feature I incorporated in a Web script. It’s pretty simple, this security feature; the code I’ll have to write to test it will actually be more complex and annoying to write than the code I wrote for the feature itself.
Right about now, this whole thing seems a bit like an irony sandwich.
I’ll probably include such code in a security article at TechRepublic in the near future — both the security feature code and the testing code — especially if I can come up with a solution to the one minor fly in the ointment of using this security feature.
The concept behind it is basically a really simple sort of implicit Turing test, assuming that anyone who can see and edit a given field in a form is accessing the site improperly. Unfortunately, that’s not necessarily the case, because using a browser that doesn’t support CSS will have the same effect as accessing the form as a bot: you’ll see the field. At least the field won’t be visibly labeled for someone accessing the page in Lynx, so it’ll appear kind of weird and pointless and hopefully be ignored, but I’d prefer a way to more substantially prohibit or discourage using the field for non-bot visitors.