Seçkin Poyraz
front-end/back-end developer since 2011

How to spam online forms and how to prevent that?

published on 02.06.2020, by @seckinthepoyraz

Hello people! In this blog post, I will demonstrate a spam-attack on a web-form and then I will explain ways to prevent it from happening.

You will need basic knowledge of HTML and a programming language you prefer. I will use Python (to demonstrate the attack) and PHP (to demonstrate how to prevent) in this post. So let's get started.

A basic form on a web page looks like this:

When you view the source of that web page you will get a result like this:

Highlighted areas in the image are what we only need to know to spam this form. The action page, and the name of the each element of the form.

We will write a basic Python app that sends POST requests to the Action Page with the data we assign 500.000 times continuously.

When you run this code, your spamming proccess will begin immediately as seen below:

As you can see, it is so easy for anyone to spam any form on any web page. And there are some ways to prevent it:

  • You may use Google's reCaptcha for your form's spam protection for free.
  • You may create your own CSRF (Cross-site Request Forgery) Token and add that value in your form.

I will show how to create a CSRF token and use it on the form.

The function we are going to use to create the CSRF token: The form page: And the POST page:

With this way, you can prevent these malicious attacks on your web form. There are lots of forms on the web without the CSRF protection so I hope people will pay more attention to the form protections.

Thank you for reading this post, see you again soon! Take care!