Preparing for the Script-Form Attack

Gilbert Held

Today we live in an electronic era, with the use of the Internet growing by leaps and bounds. Along with this growth, we have unfortunately witnessed an increase in the distribution of viruses, denial-of-service (DoS) attacks, and the break-in and modification of home pages on Web servers operated by government agencies, commercial organizations, and academia. The purpose of this article is to acquaint readers with a relatively new type of network-based attack that can cost your organization money. I will describe what I call a "script-form" attack; I will first examine how this attack can occur, and some prevention methods.

Overview

The Web has changed the way many businesses operate. The Web is a valuable place to obtain information and to shop. In addition to mailing brochures, many organizations highly automate their Web presence. Thus, brochure requests generate lists of mailing labels that require little human intervention. When you consider the cost of postage, it is quite possible that every form filled out by an Internet surfer winds up costing more than five dollars when the cost of the brochure, the envelope, and the postage are included as factors.

While it is often difficult to explain the logic behind network attacks, we know they occur and although I'm hard-pressed to determine why anyone would cause an organization to spend needless funds shipping brochures around the world, it is a vulnerability to consider. Because we live in an era of automation, the repeated completion of a form by a script using a database of names and addresses represents a "script-form" attack and is the focus of this article.

I examined several Web sites offering books, brochures, and other literature. The creation of a script to execute a form was easy to accomplish.