Email Marketing Tool

SilvyaT
Participant

SECURITY ISSUE - Forms seems to be subject to input validation issue

SOLVE

Hi,

 

we have been using the HubSpot integration (forms) for demo request,

we love HubSpot but recently some treat actors started using the platform to inject malicious code and sent malicious email to other users using the form

 

we trying to prevent this behaviour with notification (if you have not raised a request ignore this email) 

 

Nonetheless, the forms have input validation issues; a malicious actor can inject HTML tags in names and other fields where there should never be space for those as they get interpreted.

 

for now we have a workaround via zapier to send all the emails but of course this is expensive and suboptimal 

0 Upvotes
1 Accepted solution
Jnix284
Solution
Most Valuable Member | Diamond Partner
Most Valuable Member | Diamond Partner

SECURITY ISSUE - Forms seems to be subject to input validation issue

SOLVE

Hi @SilvyaT as far as I'm aware, validation rules can't be added to existing fields.

 

To add validation rules, you'd have to do the following:

 

1 - create a custom property (ex: "validated form first name")

2 - create a workflow that triggers on form submission

2.a - the first step would be to copy the value from "validated form first name"

2.b - and set it for the default "first name" value

 

By creating the workflow, you can use the validated form fields in the background and have the default properties updated automatically. This same workflow could also filter out any spam submissions if you add a honeypot field (for bots that are submitting forms that don't include a script or special character).

 


If my reply answered your question please mark it as a solution to make it easier for others to find.



Jennifer Nixon - Director of Revenue Operations at WORQFLOW

connect with Jen on Linkedin

View solution in original post

0 Upvotes
11 Replies 11
SilvyaT
Participant

SECURITY ISSUE - Forms seems to be subject to input validation issue

SOLVE

add validation rules and replace the field with new field? can validation rule be added to default fields? 

0 Upvotes
Jnix284
Solution
Most Valuable Member | Diamond Partner
Most Valuable Member | Diamond Partner

SECURITY ISSUE - Forms seems to be subject to input validation issue

SOLVE

Hi @SilvyaT as far as I'm aware, validation rules can't be added to existing fields.

 

To add validation rules, you'd have to do the following:

 

1 - create a custom property (ex: "validated form first name")

2 - create a workflow that triggers on form submission

2.a - the first step would be to copy the value from "validated form first name"

2.b - and set it for the default "first name" value

 

By creating the workflow, you can use the validated form fields in the background and have the default properties updated automatically. This same workflow could also filter out any spam submissions if you add a honeypot field (for bots that are submitting forms that don't include a script or special character).

 


If my reply answered your question please mark it as a solution to make it easier for others to find.



Jennifer Nixon - Director of Revenue Operations at WORQFLOW

connect with Jen on Linkedin

0 Upvotes
PamCotton
Community Manager
Community Manager

SECURITY ISSUE - Forms seems to be subject to input validation issue

SOLVE

Hello @SilvyaT, Happy Monday!

 

Thank you for posting in our Community!

 

 Are you currently using the Block free email providers feature in a HubSpot form? There is also a feature that allows you to block form or pop-up form submissions from specific email domains. ( More information here).

 

You can prevent visitors with email addresses containing specific domains from submitting your HubSpot form or pop-up form. To further protect your forms from spam submissions, learn how to enable CAPTCHA on your forms

 

To our top experts, @Jnix284@JustinPerkinsC @Jigar_Thakker any recommendations or workarounds to @SilvyaT?

 

Thank you,

Pam

Você sabia que a Comunidade está disponível em outros idiomas?
Participe de conversas regionais, alterando suas configurações de idioma !


Did you know that the Community is available in other languages?
Join regional conversations by changing your language settings !




SilvyaT
Participant

SECURITY ISSUE - Forms seems to be subject to input validation issue

SOLVE

Hi This will not work for sql injection or other attacks.

 

attackers can use the First and Last name to send email in a domain owner behalf to other users with injections or other things in the Name and last name like (click here) . is it possible to raise this with security? 

0 Upvotes
SilvyaT
Participant

SECURITY ISSUE - Forms seems to be subject to input validation issue

SOLVE

Find below some example of the fields with injection potential (example <h1> to modify the font)

 

The formThe formthe email outputthe email outputdomain validation passed (from a user)domain validation passed (from a user)injection in fieldsinjection in fieldsScreenshot 2023-12-10 at 4.17.48 pm.pngfilter in zapierfilter in zapierno way to filter in hubspotno way to filter in hubspot

0 Upvotes
Jnix284
Most Valuable Member | Diamond Partner
Most Valuable Member | Diamond Partner

SECURITY ISSUE - Forms seems to be subject to input validation issue

SOLVE

@SilvyaT it has to be done when you create the property, so you'd need to create custom properties and map them to the defaults with a workflow, but you can set form field validation rules to "don't allow special characters" which will limit the ability to add code.

 

this knowledge base article has more info about form spam management

 


If my reply answered your question please mark it as a solution to make it easier for others to find.



Jennifer Nixon - Director of Revenue Operations at WORQFLOW

connect with Jen on Linkedin

0 Upvotes
SilvyaT
Participant

SECURITY ISSUE - Forms seems to be subject to input validation issue

SOLVE

Hi Jennifer

 

thanks for the update we'll look into it, but wouldn't those character of HTML script be disabled by default? those are dangerous script that have no place in a Name field? 

0 Upvotes
Jnix284
Most Valuable Member | Diamond Partner
Most Valuable Member | Diamond Partner

SECURITY ISSUE - Forms seems to be subject to input validation issue

SOLVE

@SilvyaT not by default that I know of, but another option would be to add a honeypot - a hidden form field that human users can't see, but bots do.

If the form submission includes a value in the hidden form field, you'll know it's spam (you can use a workflow to automate this).

 

Are you actively receiving form submissions with scripts or are you just testing?

 

I've had other users ask about this in the past, but have only seen fake tests go through, I've never seen a malicious script make it through - whether someone has tried is unknown, but that's across hundreds of accounts.

 


If my reply answered your question please mark it as a solution to make it easier for others to find.



Jennifer Nixon - Director of Revenue Operations at WORQFLOW

connect with Jen on Linkedin

0 Upvotes
SilvyaT
Participant

SECURITY ISSUE - Forms seems to be subject to input validation issue

SOLVE

hi, those rules seesm to be blocked

Screenshot 2023-12-11 at 7.22.27 pm.png

0 Upvotes
Jnix284
Most Valuable Member | Diamond Partner
Most Valuable Member | Diamond Partner

SECURITY ISSUE - Forms seems to be subject to input validation issue

SOLVE

@SilvyaT as I mentioned, you can't add rules to existing fields. New custom fields would have to be created. Validation rules are new, so I'm not sure if that's why it is limited to new fields only.

 


If my reply answered your question please mark it as a solution to make it easier for others to find.



Jennifer Nixon - Director of Revenue Operations at WORQFLOW

connect with Jen on Linkedin

0 Upvotes
SilvyaT
Participant

SECURITY ISSUE - Forms seems to be subject to input validation issue

SOLVE

Happy new year

 

Thanks. Do you any plan when those will be rolled out for all the fields

we have a lot of forms and this would really help from security perspective 

0 Upvotes