Looking for a Form Validation Test - forms

I am trying to find a way to test and verify my form validation is doing all it can to protect me from script injections. Is there a tool that I can use to test and verify my forms for any known vulnerabilities.

Are you talking about Webdevelopment?
You should prevalidate your forms using javascript or jquery logic. But this will not bring you any security, it will just reduce server traffic, because non valid forms will not be send to the server doing so.
Further more you have to validate your forms at the server using php or what ever you use on server side.
Do not forget to use htmlspecialchars whenever you display variable input values to be aware of xss attacks.
Use mysqlrealescapestring or some escaping for the dbs you are using. If you use an orm escaping is mostly done automaticly.
you asked for a tool? you can use the zend framework, it is complicated but it has some form validation automatisms.
E.g: you can validate ISBN numbers, email addresses or bar codes with it automatically.

I noticed this question was never answered well enough for me to except an answer. I ended up using a form fuzzer. A browser add on like this https://addons.mozilla.org/en-US/firefox/addon/immuniweb-self-fuzzer/ will enter data into the form inputs and try to break your form validation inputing various kinds of data. Best to work on a development/sandbox type environment since the data input an potentially destroy your database.

Related

Form creation interface and simple back-end, should I go for CMS or is there a better option?

I often need to create similar, but very long HTML forms for a client. The forms contain some inter-dependent fields and lot of validations. Some images also need to be uploaded.
Then the client needs to check the database in the CPanel and export it from there.
I want to create something with easy interface which can create complicated forms. Also, client is asking for easy-to-operate back end. The CMS option looks like an overkill. I want to keep the site as lightweight as possible because of performance requirement.
Please suggest me the best path I should take. Should I try to develop everything from scratch? Should I use a CMS? Is there any particular CMS more suitable for the task?
We use ChronoForms along with Joomla 3.1 to create such forms. It has two modes, an easier one that limits the functionality but creation of forms is much easier. The other one offers the full capabilities of the engine but requires manual steps to do even simple things.
Having said that, ChronoForms is the most powerful web based forms designer I have come across. It seems they also support Wordpress now.
They have a drag-drop mechanism to design the forms. Validations are easy to do via check boxes for the standard ones. You can save the results into database tables, send emails, redirect users to specific pages, add captchas.
The backend allows you to view the records and create new tables based on the fields of the form. You can also export the result as CSV.

How to make registration via API be able only for humans?

I making web service (JSON), and web site, which uses this service. And this web site uses service function "register" to register users in web site. And I dont want to make captcha because its boring to type and easy to make mistakes while typing and I just can to loose my customers while registration procedure. So its easy to make application that will register [user00000#haha.com .. user99999#hehe.com] rage of fake accounts. How to avoid this without typing CAPTCHA?
Thanks in advance
There are a few different approaches you can use, or a combination of them:
You can have your users perform basic math instead of the CAPTCHA.
You can also use javascript to detect bots, since bots typically use straight HTTP requests, however client-side javascript requires a real browser in order to execute:
http://www.kalzumeus.com/2010/06/07/detecting-bots-in-javascrip/
There are some nice alternatives to CAPTCHA, for example this and this and this and this (btw, you can find different alternative-CAPTCHAs here - not all of them are "hard" to use!).
Also, there are some alternative CAPTCHAs that instead of displaying twisted characters - give you a simple arithmetic equation, for example: 3+7= and you have to type in the correct result.

How do you handle multiple files in a form submission using Apache2::Upload?

I'm writing a small web application using Perl, HTML::Mason and Apache.
I've been using Mason's usual <%args> method for receiving 'normal' form parameters, and Apache2::Upload for receiving files.
However, I want to write a page that allows a user to upload multiple files, and I'd like to take advantage of HTML5's multiple attribute to input fields. This will look to the server as though there were multiple file inputs in the form with the same name.
The interface for Apache2::Upload doesn't seem to directly support this, allowing you instead to just get the data for a file with a particular parameter name. The documentation alludes to using APR::Request::Param::Table, but I can't find any documentation for doing that.
Please note that I'm not interested in answers that involve adding extra file input fields with different names. This is trivial to handle on the server, and my question doesn't involve front-end scripting at all.
Use the multiple attribute (in the form as you described) and then, after submission, call the Apache request object's upload method. That will give you a list of Apache2::Upload instances.
Good luck!

Looking for an email/report templating engine with database backend - for end-users

We have a number of customers that we have to send monthly invoices too. Right now, I'm managing a codebase that does SQL queries against our customer database and billing database and places that data into emails - and sends it.
I grow weary of maintaining this every time we want to include a new promotion or change our customer service phone numbers. So, I'm looking for a replacement to move more of this into the hands of those requesting the changes.
In my ideal world, I need :
A WYSIWYG (man, does anyone even say that anymore?) email editor that generates templates based upon the output from a Database Query.
The ability to drag and drop various fields from the database query into the email template.
Display of sample email results with the database query.
Web application, preferably not requiring IIS.
Involve as little code as possible for the end-user, but allow basic functionality (i.e. arrays/for loops)
Either comes with it's own email delivery engine, or writes output in a way that I can easily write a Python script to deliver the email.
Support for generic Database Connectors. (I need MSSQL and MySQL)
F/OSS
So ... can anyone suggest a project like this, or some tools that'd be useful for rolling my own?
(My current alternative idea is using something like ERB or Tenjin, having them write the code, but not having live-preview for the editor would suck...)
I think your looking for a reporting tool which is also capable of sending email. Sending a generared report in html or pdf shouldn't be to hard to do as well.
I've used JasperReports in the past for which I think it should fit your needs.
Another good solution is the pentaho reporting tool
You could easily write something on your own.. give them a basic edit control and allow them to use psuedo variables like {customername} {anothercustomerattribute} within the mail body.
On submit either send directly or save as template.
When the template is sent away the script automatically parses stuff like {customername} into the real customers name from the database.
Your own very very simple custom scriptlanguage :)
Everything else like loops and so on would be maintained on serverside. And if you want particular groups of customers to receive the letter, allow the enduser to select from selectboxes or whatever and do the rest on the serverside with pre-defined rules.

GWT interfering with XSS preventative measures

I'm currently in the process of developing a GWT 1.7.1 application that deals with a significant amount of persistent, user generated data so there is a risk of malicious XSS. One of the steps I am taking to prevent this is using org.apache.commons.lang.StringEscapeUtils.escapeHtml() server-side (Yes I am well aware that this will not prevent all possible XSS attacks as mentioned here and here).
This approach is causing a client-side problem since it appears that GWT is performing it's own client-side escaping (e.g. The server returns the string “Alice & Bob Inc.” and “Alice &amp; Bob Inc.” is being rendered to the DOM which is incorrect). This is definitely happening client-side as the http response from the server contains the correctly encoded data. I have been going through the documentation for GWT and haven't found any reference to this feature. Is anyone aware of a way of disabling this behaviour?
How are you adding the value the server returns to the page? Could you be adding at as text? If you are sure the String is safe you can add it as HTML (there is usually an option for HTML) or specific Widgets like HTML.
btw Usually best not to return HTML encoded values from the server as you don't know how you may want to use them. I use the rule that you keep the values in their clean format till the last minute (adding to the document etc).