Re: Forms | Malicious Data

Andreia_Norsa
Level 4

Forms | Malicious Data

Hi all, can someone help me on how to prevent malicious data filling in our forms like the example below?

pastedImage_1.png 

The malicious data was placed in our token {lead.First Name}.

 

We added the reCaptcha but it does not prevent the submission of the form.

 

I read many articles in the community but didn't find any step-by-step solution. 

 

Please bear in mind that I'm not a developer and my technical knowledge is not advanced. Sorry...

 

Thanks for your help.

Andreia

3 REPLIES 3
TBlane_McMichen
Marketo Employee

Re: Forms | Malicious Data

If you suspect this is being done by an Email Bot...

A potential solution is to use a field (something you don't use or care about the contents) and then add a honeypot field.  Here is an article that explains how it works.  How do I block junk form submissions from my site? 

Then you evaluate the form submissions to see if there is anything in the honeypot field.  If so, you delete the lead record, since it was populated by an Email Bot.

The trick is to figure out how to get the honeypot field into the form tag and hide the display.  I played with a visibility rule to see if Marketo would hide it for me. It does, but it uses a placeholder and not a hidden field that would trick the bot.

SanfordWhiteman
Level 10 - Community Moderator

Re: Forms | Malicious Data

Honeypots don't work. Anybody mildly curious can see your logic (it's right there on the page and on the wire) and pound your form after that.

reCAPTCHA works, but only to prevent bots. An individual human attacker cannot be stopped by reCAPTCHA.

The only way to combat "link smuggling" by human attacker as described here is to escape all untrusted link-like data. See https://blog.teknkl.com/tokens-as-hacker-weapons-1/ 

Andreia_Norsa
Level 4

Re: Forms | Malicious Data

Thanks Sanford Whiteman‌ I will read the blog and come back to you if I have further questions...

Andreia