Page 1 of 1

form action

Posted: Mon Nov 07, 2005 5:11 pm
by s.dot
How do I make sure a forms contents are only being processed from my domain?

For instance, I recently had a guy save my forms HTML to his computer, alter a select box, and input an option that wasn't in the option list. He submitted this altered form to my PHP script, and it processed it.

I'm guessing somewhere in the $_SERVER I can check to make sure the form is only being submitted from my domain?

Re: form action

Posted: Mon Nov 07, 2005 5:28 pm
by foobar
scrotaye wrote: I'm guessing somewhere in the $_SERVER I can check to make sure the form is only being submitted from my domain?
You could use $_SERVER['HTTP_REFERER'], but you can cloak that pretty easily. What would make more sense is to run a server side check on whether the option sent is actually an allowed option.

Like so:

Code: Select all

$bla = $_POST['bla'];
$allowed = array(1, 2, 3);

if (!in_array($bla, $allowed)) {
  die('Hax0r!!!1');
}

Posted: Mon Nov 07, 2005 5:36 pm
by s.dot
hmm, how would $_SERVER['HTTP_REFERRER'] be fooled?

And i think i shall combine both security options to be safe.

Posted: Mon Nov 07, 2005 5:50 pm
by Dark[NSF]
scrotaye wrote:hmm, how would $_SERVER['HTTP_REFERRER'] be fooled?

And i think i shall combine both security options to be safe.
any local webserver can change it's dns, i suppose that's one way of doing it.

Posted: Mon Nov 07, 2005 7:19 pm
by feyd
checking the sent information against what generated the form on the submitting page.. that's the only real way to make sure.. referrer isn't reliable in any direction. Remember: verify, validate, and sanitize anything that comes from any external source. If you are truely paranoid, you even do that for internal sources..

Posted: Mon Nov 07, 2005 8:11 pm
by wtf
What about sessions

page form create session set session id

proccess page, verify current session against incoming one?

Would that work???

Posted: Tue Nov 08, 2005 12:55 am
by s.dot
well i am going to check to make sure its coming from my domain first of all...

that should thwart off some people, since apparently faking the http_referrer is possible.

then i can begin the process of checking all my select boxes to make sure the option they chose is in the select box.

why can't everyone just be nice instead of being hax0ring bastards :(

Posted: Tue Nov 08, 2005 1:04 am
by n00b Saibot
scrotaye wrote:why can't everyone just be nice instead of being hax0ring bastards :(
b'cos it's geek 8)
j/k :wink:

Posted: Tue Nov 08, 2005 10:22 am
by Maugrim_The_Reaper
One method of disuasion is to add a token to every form requested from your site, validate this against the user's session stored token (both should equal) or else discard the request entirely. Also the usual input filtering; if its not expected, don't accept it. $_SERVER variables based on user sourced data are never trustworthy. Being completely paranoid I actually discard everything in $_SERVER unless required. Much of its contents need to be properly filtered before use either way - its not trustworthy in any shape or form since much is (whether the majority of developers realise it or not) sourced in user data, and can be tainted as easily as the traditional POST, GET, COOKIE...

The token practice isn't foolproof (obviously) but it's another inconvenience to overcome. Even obscurity is worthwhile if it forces a hacker to edit their script for every single request... Filtering is the key here however.

Posted: Tue Nov 08, 2005 1:41 pm
by wtf
or you can always go captcha way

Posted: Wed Nov 09, 2005 3:17 am
by Maugrim_The_Reaper
I dislike CAPTCHA; imagine you're struck blind tomorrow - now see how much you like it. It's a curse on people with visual impairments. Far as I'm concerned if you can't navigate a site with its graphics disabled completely, then its called bad design.