Is there a way to find out where POST data was sent from?
Moderator: General Moderators
-
mattkenefick
- Forum Newbie
- Posts: 12
- Joined: Tue May 29, 2007 1:01 pm
Is there a way to find out where POST data was sent from?
Since you can set any header to basically whatever you want, how can you allow POST data that comes from your server only. How can you know where it came from?
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
You shouldn't have to care so much. What you should care about is that the data is in the formats, quantities and various other parts match what you expect. You can do challenge and response type stuff, but it will require Javascript or other scripting language. There are also tokens, but that is still possible to spoof; marginally harder, but still possible.
Well you could have single use tokens that expire as soon as the server receives the request. If it's a valid token, continue the response, otherwise disregard the request as invalid. You could use an easily hackable seed (such as just MD5 the current date/time), and since it's a single use, it's unlikely that a hacker would be able to use that token in time before it expires.
-
mattkenefick
- Forum Newbie
- Posts: 12
- Joined: Tue May 29, 2007 1:01 pm
The format, quantity, various other data is unimportant. The important part is where it came from. Because I dont actually care what they sent, I'm not even reading it. I just need to know that file X was accessed from a different file on MY server. If file X isn't accessed from my server, it won't read it.feyd wrote:You shouldn't have to care so much. What you should care about is that the data is in the formats, quantities and various other parts match what you expect. You can do challenge and response type stuff, but it will require Javascript or other scripting language. There are also tokens, but that is still possible to spoof; marginally harder, but still possible.
This is why:
There's a Flash file thats going to post to this PHP file. The PHP file just needs to know it's trying to be accessed by the Flash. It doesn't matter at all what the Flash is sending, just the fact that it's trying. I need for the PHP to know that this Flash file is on my server, and not someone else's. The PHP is going to send back relatively sensitive data to the Flash, and if it's on my server.. Everything will be cool. If it's someone spoofing , then it's not cool.
Make better sense?
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
The Flash file won't be on your server when it sends information. It will be on the user's. The only control you can hope to assert is in supplying some sort of authentication key that is given to the Flash file as it loads and is used by Flash to encrypt, or otherwise sign the data. The problem is, that signing algorithm can be sucked out of the file. Is this really worth all that trouble?
-
mattkenefick
- Forum Newbie
- Posts: 12
- Joined: Tue May 29, 2007 1:01 pm
Well when I do HTTP_REFERER now, it gives me the link of the SWF file.feyd wrote:The Flash file won't be on your server when it sends information. It will be on the user's. The only control you can hope to assert is in supplying some sort of authentication key that is given to the Flash file as it loads and is used by Flash to encrypt, or otherwise sign the data. The problem is, that signing algorithm can be sucked out of the file. Is this really worth all that trouble?
If its on http://example.com/test.swf, and it calls example.com/myScript.php... it will return http://example.com/test.swf when I do the $_SERVER['http_referer'] call.
Unfortunately this is 100% necessary. One way or another, easy or impossible, it has to be done.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Unfortunately, HTTP_REFERER is an entirely optional request header. Some browsers don't send it, some routers/firewalls/corporations filter it out. It is easily spoofed too.
I think signing, in some fashion, is your only route unless Flash supports strong encryption and/or you are running this over SSL.
I think signing, in some fashion, is your only route unless Flash supports strong encryption and/or you are running this over SSL.
-
mattkenefick
- Forum Newbie
- Posts: 12
- Joined: Tue May 29, 2007 1:01 pm