Your Achievements
Level 1
0% to
Level 2
Next /
to gain points, level up, and earn exciting badges like the new Applaud 5 BadgeLearn more!
View All BadgesSign in to view all badges
Open Alert Bar

Forms | Malicious Data

Andreia_Norsa
Level 4
Level 4
‎01-22-2020 05:18 AM
‎01-22-2020 05:18 AM

Forms | Malicious Data

Hi all, can someone help me on how to prevent malicious data filling in our forms like the example below?

pastedImage_1.png 

The malicious data was placed in our token {lead.First Name}.

 

We added the reCaptcha but it does not prevent the submission of the form.

 

I read many articles in the community but didn't find any step-by-step solution. 

 

Please bear in mind that I'm not a developer and my technical knowledge is not advanced. Sorry...

 

Thanks for your help.

Andreia

0 Likes
2,154
Reply
3 REPLIES 3
TBlane_McMichen
Marketo Employee
Marketo Employee
‎01-22-2020 09:55 AM
‎01-22-2020 09:55 AM

Re: Forms | Malicious Data

If you suspect this is being done by an Email Bot...

A potential solution is to use a field (something you don't use or care about the contents) and then add a honeypot field.  Here is an article that explains how it works.  How do I block junk form submissions from my site? 

Then you evaluate the form submissions to see if there is anything in the honeypot field.  If so, you delete the lead record, since it was populated by an Email Bot.

The trick is to figure out how to get the honeypot field into the form tag and hide the display.  I played with a visibility rule to see if Marketo would hide it for me. It does, but it uses a placeholder and not a hidden field that would trick the bot.

0 Likes
2,114
Reply
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎01-22-2020 10:02 AM
‎01-22-2020 10:02 AM

Re: Forms | Malicious Data

Honeypots don't work. Anybody mildly curious can see your logic (it's right there on the page and on the wire) and pound your form after that.

reCAPTCHA works, but only to prevent bots. An individual human attacker cannot be stopped by reCAPTCHA.

The only way to combat "link smuggling" by human attacker as described here is to escape all untrusted link-like data. See https://blog.teknkl.com/tokens-as-hacker-weapons-1/ 

2,114
Reply
Andreia_Norsa
Level 4
Level 4
‎01-23-2020 05:26 AM
‎01-23-2020 05:26 AM

Re: Forms | Malicious Data

Thanks Sanford Whiteman‌ I will read the blog and come back to you if I have further questions...

Andreia

0 Likes
2,114
Reply
Home