Do form submissions by spam bots ever pose a security risk? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

This question does not appear to be about programming within the scope defined in the help center.

Closed 7 years ago.

Improve this question

A spam bot has found my sign-up form and is filling my database with spam submissions. The form is a basic asp.net registration that creates a new membership user and captures account information such a开发者_JAVA技巧s name, address, phone, etc. Rather than implement a captcha I plan to try a honeypot field. However, my question is not about prevention* but rather about security. What potential risk does form spam pose? I already parameterize all of my SQL to handle the obvious SQL injection stuff. What are the other risks? Is anyone aware of how one might use a bot to attack a site through the site's form(s)? When do spam submissions represent more than just spam?

**Here are some posts related to prevention for anyone who is interested:*

fighting spam bots

How to deal with botnets and automated submissions

When the bots attack!

---

Any security risks you may have are completely independent of whether the form is being submitted in bulk.

The only new security risk relates to what happens if the bots fill up your disk.

---

I guess one problem could be the kind of spam they post. If they post links to other websites which in turn try infect the visitor with malware it doesn't pose a direct threat to your site but to your visitors.

You should also make sure they can't insert scripts etc to prevent XSS.

XSS on wikipedia

---

From a security perspective, this is really a question about how secure your website is in general. Yes, a spambot could exploit vulnerabilities but then so could any user, be they human or robot.

You mentioned parametrisation of SQL which is a good start, try these as well:

1. Are you validating all input against a whitelist of trusted values?
2. Are you applying the principle of least privilege and not allowing the SQL account public users connect with to do more than it needs? (more on that here)
3. Are you output encoding every piece of data when it's presented back via the UI?

If you're doing all this then you're in good shape security wise. Dealing with the inconvenience created by bots is another issue altogether.