Rate Limiting

Web applications that include form submissions can be vulnerable to brute-force submission attacks that submit the form many times. Many web app vulnerability scanners test web forms by injecting various values and submit the forms to see if there are any possible exploits. The scanner may try many different values, resulting in submitting the form many times.

Attackers can exploit these vulnerabilities, and cause denial of service conditions on the application or associated systems.

Forms that are used to notify an email address are especially sensitive to this, as excessive form submission can cause email floods to inboxes or shared mailboxes.

The solution to protecting your web application forms from both attackers and vulnerability scanners is to implement some verification or limitation on form submissions:

Here are a few ways you can protect your web forms like RSVPs or information request/feedback pages (this list will periodically change):

  • reCaptcha from Google

Drupal modules

Edit the email field in the web form and check both the "mandatory" and "unique" options. That way, it will not accept more than one submission with the same email address.

 

Get Protected | Arizona State University

Contact Us

About
About Us News
Resources
Policies & Standards Remote Work Security Training
Services
DUO Two-Factor Incidence Response Password Services Vulnerability Management
Maps and Locations Jobs Directory Contact ASU My ASU
Repeatedly ranked #1 in innovation (ASU ahead of MIT and Stanford), sustainability (ASU ahead of Stanford and UC Berkeley), and global impact (ASU ahead of MIT and Penn State)
Copyright and Trademark Accessibility Privacy Terms of Use Emergency