Page 1 of 1

security - _Post from one site

Posted: Sat Jul 07, 2007 3:28 pm
by divx
from a securit point of view how is it possible to make sure that any post data only comes from one site (that you define)

for instance if I had a example/MyRegistrationForm.php, which posts to example2/MyUserCreation.php
How could I make sure that the data is only posted from example/MyRegistrationForm.php

I dont want to send this in the post request (since post request can be manipulated), i need to find a way for example2/MyUserCreation.php to know it come from example/MyRegistrationForm.php

Any ideas?

Posted: Sat Jul 07, 2007 3:35 pm
by superdezign
Why?

You should be validating the data anyway.

Posted: Sat Jul 07, 2007 3:44 pm
by divx
validation wont stop resubmits with things like paros.

You dont nessesarily have to js inject to hijack a site, you could potentilay create an auto submit querry that loops submit.

I already have a validation that checks for ip address, but i need something else to verify origanal location for hardening.

Posted: Sat Jul 07, 2007 3:57 pm
by superdezign
Try using a session.

I hope you're aware that remotely isnt the only way to re-submit a form. They could continuously refresh the page that the form was submitted to.

Posted: Sat Jul 07, 2007 4:13 pm
by divx
resubmitting on that page is prevented(ip logged in db, can only do one querry, as are many other things such email and username), but cross site attacks are a little harder to prevent when a user changes ip address within a script.

cookie seesions is an alternative, but really wanted to avoid using cookies as a form of protection

I've had a look at
$_SESSION['token'] = $token;
$_SESSION['token_time'] = time();

this might do the trick

Posted: Sat Jul 07, 2007 4:25 pm
by feyd
IP tracking is not reliable, at all.

Posted: Sat Jul 07, 2007 4:35 pm
by nickvd
divx wrote:...when a user changes ip address within a script.
Or within my router

Or within my browser (proxy)

Or....

Or....


...just do echo what feyd said :)

Posted: Sat Jul 07, 2007 4:49 pm
by superdezign
Then don't use cookies. Make all of your users have an account and handle your sessions through the database.

Posted: Sat Jul 07, 2007 5:15 pm
by nickvd
You could always try implementing a challenge->response type of system

the form page generate a key, store it in the database and submit it to the processor. The processor then looks up the key and if it matches its legit...


Pretty much identical to maugrim's challenge/response login tutorial.

Posted: Sat Jul 07, 2007 5:54 pm
by divx
The key could be caught if sent to the databse, then re-used to manipulate from a 3rd party software like paros.
- but could encrypt this

Posted: Sat Jul 07, 2007 6:52 pm
by nickvd
divx wrote:The key could be caught if sent to the databse, then re-used to manipulate from a 3rd party software like paros.
- but could encrypt this
How? The server itself would have to be compromised in order to do that... and if so, you'd have much much more to worry about...

Are you on a shared host?

If you're that paranoid about security, run the whole site with ssl...