I am developing a website which currently is mostly Intranet only and uses custom authentication. The website needs error reporting functionality. I have everything set up already in the back-end (database table, correlation identifiers to track errors starting from my ASP.NET MVC website and down to my WCF services).
When some exception occurs, it gets logged, and the user is shown a feedback form where he can fill in additional details.
The problem is that obviously someone might abuse that error reporting link and start POSTing some rubbish data or maybe even use that link for DoS attacks. I don't want to protect this page with authentication because maybe the user wants to report that he had a problem while logging in.
Now the question is - how do I prevent hackers and evil users from attacking the website through the error report form? Are there any known methods and best practices (except captcha codes which seem a bit inappropriate for corporate business applications)?
I would like to keep the protection as simple as possible - it wouldn't be nice to get another exception in the error reporting form itself.
If the site is intranet-only, why do you have so many hackers and evil users inside your firewall? :-)
Seriously though, you should already be applying best security practices (e.g. prevention against cross-site scripting and SQL injection) even for authenticated users. What if one of them has malware on their computer that causes their browser to post malicious things into web forms after authentication?
For .net developers this series of articles is very good for protecting against the top 10 security threats: http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html
Once you are confident in your global application of these best practices to the code, I don't see why an intranet-only feedback form should present any further issues.