Page 1 of 1

Is there a way to find out where POST data was sent from?

Posted: Mon Jul 09, 2007 6:12 pm
by mattkenefick
Since you can set any header to basically whatever you want, how can you allow POST data that comes from your server only. How can you know where it came from?

Posted: Mon Jul 09, 2007 6:21 pm
by feyd
You shouldn't have to care so much. What you should care about is that the data is in the formats, quantities and various other parts match what you expect. You can do challenge and response type stuff, but it will require Javascript or other scripting language. There are also tokens, but that is still possible to spoof; marginally harder, but still possible.

Posted: Mon Jul 09, 2007 7:55 pm
by TheMoose
Well you could have single use tokens that expire as soon as the server receives the request. If it's a valid token, continue the response, otherwise disregard the request as invalid. You could use an easily hackable seed (such as just MD5 the current date/time), and since it's a single use, it's unlikely that a hacker would be able to use that token in time before it expires.

Posted: Mon Jul 09, 2007 8:10 pm
by mattkenefick
feyd wrote:You shouldn't have to care so much. What you should care about is that the data is in the formats, quantities and various other parts match what you expect. You can do challenge and response type stuff, but it will require Javascript or other scripting language. There are also tokens, but that is still possible to spoof; marginally harder, but still possible.
The format, quantity, various other data is unimportant. The important part is where it came from. Because I dont actually care what they sent, I'm not even reading it. I just need to know that file X was accessed from a different file on MY server. If file X isn't accessed from my server, it won't read it.


This is why:

There's a Flash file thats going to post to this PHP file. The PHP file just needs to know it's trying to be accessed by the Flash. It doesn't matter at all what the Flash is sending, just the fact that it's trying. I need for the PHP to know that this Flash file is on my server, and not someone else's. The PHP is going to send back relatively sensitive data to the Flash, and if it's on my server.. Everything will be cool. If it's someone spoofing , then it's not cool.

Make better sense?

Posted: Mon Jul 09, 2007 8:20 pm
by feyd
The Flash file won't be on your server when it sends information. It will be on the user's. The only control you can hope to assert is in supplying some sort of authentication key that is given to the Flash file as it loads and is used by Flash to encrypt, or otherwise sign the data. The problem is, that signing algorithm can be sucked out of the file. Is this really worth all that trouble?

Posted: Mon Jul 09, 2007 8:34 pm
by mattkenefick
feyd wrote:The Flash file won't be on your server when it sends information. It will be on the user's. The only control you can hope to assert is in supplying some sort of authentication key that is given to the Flash file as it loads and is used by Flash to encrypt, or otherwise sign the data. The problem is, that signing algorithm can be sucked out of the file. Is this really worth all that trouble?
Well when I do HTTP_REFERER now, it gives me the link of the SWF file.

If its on http://example.com/test.swf, and it calls example.com/myScript.php... it will return http://example.com/test.swf when I do the $_SERVER['http_referer'] call.

Unfortunately this is 100% necessary. One way or another, easy or impossible, it has to be done. :( No way around it.

Posted: Mon Jul 09, 2007 8:46 pm
by feyd
Unfortunately, HTTP_REFERER is an entirely optional request header. Some browsers don't send it, some routers/firewalls/corporations filter it out. It is easily spoofed too.

I think signing, in some fashion, is your only route unless Flash supports strong encryption and/or you are running this over SSL.

Posted: Mon Jul 09, 2007 8:51 pm
by mattkenefick
I know.. thats why I posted this thread. =]

I'm looking for a reliable alternative to HTTP_REFERER. Flash doesn't really support any encryption. I'm going to be running over SSL AFTER I find out where it's coming from.

If I setup SSL for the whole thing.. will I be able to tell that way?

Posted: Mon Jul 09, 2007 8:57 pm
by feyd
SSL will only provide an encrypted tunnel to help prevent data snooping. It won't provide additional data.

Posted: Mon Jul 09, 2007 9:03 pm
by mattkenefick
soo.. answers or no?