PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Fri May 29, 2020 9:21 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Sat Jan 28, 2012 4:04 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
This post stems from another thread but is (to me) related to this: Is there a way to fake (spoof) $_POST values?

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Sat Jan 28, 2012 5:42 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US
If you mean craft a post that appears to be coming from the site, but is not -- then yes. That's why there is only the concept of untrusted data. It doesn't matter where the post comes from, you can't trust the data and have to validate and filter.

_________________
(#10850)


Top
 Profile  
 
PostPosted: Sat Jan 28, 2012 9:41 pm 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
Easiest way, Firebug. You can change anything on the currently displayed site (even the "generated" code made via Javascript).

I worked on a shopping cart once, where to save on doing AJAX calls back to the server for each time you changed an attribute to get that combinations price, they had them all just as "hidden" inputs, and the JS called the price to display from that one. Well because the site had a pain in the rump advanced joins across like 4 tables to get the price, the person who coded the "Add to cart" code, just grabbed the price from the submitted "Hidden" values. I could go to the page, have a $250 item, firebug it, change it to $5.00 do add to cart, and go through checkout and pay $5.00 (plus shipping) for a $250 item. And even worse, this particular company the site was for, had people fulfilling the orders who didn't care what price was on them, they just saw "Qty 3 of SKU 435345" and put that many in a box and shipped, and wouldn't have noticed.

That is why you never trust anything that can be altered by the user, $_POST / $_GET / $_COOKIE / $_SERVER['PHP_SELF'] / $_SERVER['HTTP_USER_AGENT'] / $_SERVER['HTTP_REFERRER'] are the main used ones.

-Greg


Top
 Profile  
 
PostPosted: Sun Jan 29, 2012 3:21 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
Thanks for the replies; i assume that you're both refering to values such as hidden input's, text input, checkboxes, dropdown boxes, radio buttons or does this include every single $_POST item? The example below:
Syntax: [ Download ] [ Hide ]
<?php
 if isset($_POST['submitButton'])) {
 // do processing
 }
?>

Can you spoof $_POST['submitButton'] and so that the script will start processing?

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Sun Jan 29, 2012 3:55 am 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
Yes, you have to remember that on the server it gets all the post values the same way, all it knows is "here is a name and here is the value", it doesn't know that it came from a button, input, select, textarea, etc. That is strictly for the browser so it knows how to collect the value.

I can put a script on my server that will use curl to send requests to your site, that say the referring site is your site, that it is a firefox browser and contain post data.

So if you have, say for simplicity sake, a simple guestbook. I go to it, I see that I fill out a little form hit submit, and "wow! there is my message and link to my site live immediately". So I look at the form, see what the fields are. I write a script and set it to run once a day, and cool, my site is advertised every day on your site!

Heck even an up to date word press install can have this happen. Had the owner of company get several hundred e-mails to his iPhone PER HOUR one night because someone targeted his blog to auto submit spam comments. Now while they didn't auto display, it did e-mail him every post that a comment needed reviewed. Now being in the position he was in as owner of the company and wanting to be available 24/7 if a customer had a site issue, shutting his phone off at night when he goes to bed isn't an option.

By the time it came to my attention, there was several THOUSANDS of comments to clean out of the database. We locked it down pretty good, you have to submit the form withing 30 minutes from when the page with the form is loaded. The form has a hash of the timestamp on it (do a search for "int2key" on here to find the post where I put the code to code/decode) The forms on the sites have this form field:
Syntax: [ Download ] [ Hide ]
<input type="hidden" class="hidden" name="comment_author_hash" value="85cQjZyUDM1YTM" />

That value is the current time stamp. If you can guess how to change that value to be a current time stamp so it is always current, then you are awesome and I'll accept the spam lol (see my post i said to search for on how it gets generated) Now you will notice, the field name is "comment_author_hash". If someone is gonna look at the code to see why their "bot" is failing, why give them something obvious like "form_timestamp" ;-) I'm all about deception when it comes to that (I usually name honeypot fields URL or txtURL to encourage a bot to fill it out in case it is automated or the person writing it isn't paying attention.)

All worked very nicely, and no need for fugly captcha, or the server overhead of having to fully load up the site to process a plugin to determine the comment was spam. The actual wordpress code never even fired if it was a comment submitted without the hidden field, or the hidden field was more than 30 minutes old.

You ever want to test an actual script, PM the info, I love a challenge like that!

-Greg


Top
 Profile  
 
PostPosted: Sun Jan 29, 2012 4:11 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
Thanks for the info (and explanation); I was not sure of the possibility of the submit button being spoofed but i see that it is. To me it seems that the solution to this is not to try and stop the form being processed because that seems to be impossible, rather it's to see if the submission was made from the 'correct' form

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Sun Jan 29, 2012 8:01 pm 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group