Chad Perrin: SOB

22 July 2009

writing malware, kinda

Filed under: Geek,Security — apotheon @ 05:18

I’ve discovered today that I need to write what amounts to malware to test a security feature I incorporated in a Web script. It’s pretty simple, this security feature; the code I’ll have to write to test it will actually be more complex and annoying to write than the code I wrote for the feature itself.

Right about now, this whole thing seems a bit like an irony sandwich.

I’ll probably include such code in a security article at TechRepublic in the near future — both the security feature code and the testing code — especially if I can come up with a solution to the one minor fly in the ointment of using this security feature.

The concept behind it is basically a really simple sort of implicit Turing test, assuming that anyone who can see and edit a given field in a form is accessing the site improperly. Unfortunately, that’s not necessarily the case, because using a browser that doesn’t support CSS will have the same effect as accessing the form as a bot: you’ll see the field. At least the field won’t be visibly labeled for someone accessing the page in Lynx, so it’ll appear kind of weird and pointless and hopefully be ignored, but I’d prefer a way to more substantially prohibit or discourage using the field for non-bot visitors.

Meh.

2 Comments

  1. I suppose you could add some text (that’s also normally invisible) instructing users not to fill in the field. I don’t think a bot would be able to parse and understand those instructions.

    Comment by Chip Camden — 23 July 2009 @ 09:55

  2. You’re probably right. I thought of that, but I was feeling a little paranoid about making the instructions visible to a bot.

    Comment by apotheon — 23 July 2009 @ 10:47

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License