1. Software Standards Specification
  2. Software Requirements Definition
  3. Software Best Practices
  4. Input Validation
  5. Output Validation
  6. Cookie Requirements
  7. Access Failure Error Checking
  8. Buffer Overflow
  9. Code Structure
  10. Software Functions
  11. Software Modules
  12. Requirements for Variables
  13. Software Code Comment Requirements
  14. Quality Code Requirements
  15. Software Code Review
  16. Software Code Testing Requirements
  17. Software Change Control

    Security Best Practices

  18. Secure Functional Requirements
  19. Account Creation
  20. Change Password
  21. Forgot Password
  22. Personal Question
  23. Contact Webmaster
  24. CAPTCHA Tests
  25. Answer Verification

Contact Webmaster Recommendations

Whether contacting the webmaster or allowing submission of links to websites, security protection against injection of unwanted material and spamming the site must be a strong consideration. Input validation to protect against content injection must be carefully implemented. Protection against email injection as part of an attempt to send email spam must also be carefully implemented.

Logging attacks

Code for these pages should be written so attacks are detected. When an attack is detected, the user should not be informed. If you have a high degree of confidence that an attack was attempted, the program should behave in a normal manner as though the attempted entry was accepted so the attacker does not know whether they were successful. If they believe they were successful, they may continue to use the same unsuccessful attack and not try others.

When an attack is detected, it should record user information either in a database, file, or inform an administrator by email. The problem with sending emails to inform administrators about every attack is that the number would be so excessive, your program would effectively overwhelm your administrator as if spamming them. It would be wise to only do this for high threats or as a cumulative summary of attacks periodically. Some information that should be recorded include date, time, attacker IP address, and as much attacker client information that is available. This information should be kept for several months or long enough to support an investigation or legal process if either should be required.

Spamming the site protection

Whether contacting the webmaster through a form or using a link submission page to a website, a method of preventing machine entered spam must exist or administrators and webmasters will be overwhelmed with illegitimate requests. A CAPTCHA test could be used to prevent this but many CAPTCHA tests can be defeated. I recommend use of email verification both for contacting the webmaster and submitting sites. Depending upon the nature of the site, it may be better to require a user account on the site to submit links.

A weakness of email verification is that the submitter could sniff the email sent out to an email to be verified and meet the requirements. However, the automation of that type of attack would be more difficult. Hopefully email encryption technology will be created soon in the future which can mitigate this threat.

Use of email verification can be made simpler for users on the site if the site will allow whitelisting and blacklisting of email addresses. This would allow users to enter their already validated email addresses to submit additional links or contact the webmaster additional times. The drawback to this is unless the submission pages are encrypted, a third party could sniff those whitelisted email addresses and use them to submit spam content.