Page 1 of 2

Preventing posting of data with Tamper Data

Posted: Wed Mar 18, 2009 11:02 pm
by bulgin
I have just spent much time constructing an application only to find out that if I use Tamper Data I can forge input values to the database for fields that were supposed to be 'read only'.

What is the general methodology for preventing a user from inputting values through a tool like 'Tamper Data'?

If I ssl enable the site would that help?

Thanks.

Re: Preventing posting of data with Tamper Data

Posted: Thu Mar 19, 2009 7:20 am
by kaisellgren
bulgin wrote:I have just spent much time constructing an application only to find out that if I use Tamper Data I can forge input values to the database for fields that were supposed to be 'read only'.
Tamper Data is just a lame extension to allow easy modification of the values your browser sends. I'm not sure if I understood what you wanted. What do you mean by read-only database columns? There is no such thing unless the SQL account has no privileges to update the values, which I doubt is what you want.
bulgin wrote:What is the general methodology for preventing a user from inputting values through a tool like 'Tamper Data'?
As a PHP developer? There are no methodologies for that at all. Why would there be? PHP is a server-side software. :|
bulgin wrote:If I ssl enable the site would that help?
It has nothing to do with what the user decides to give as his/her input.

Re: Preventing posting of data with Tamper Data

Posted: Thu Mar 19, 2009 9:38 am
by bulgin
thanks for your reply. I think you know what I would like to do - stop a user who is using Tamper Data or equivalent from being able to see the values being passed to the browser. In some cases in this application the person using Tamper Data (okay it's lame, but people use it hack stuff) can see the field names and hard-coded values in those fields. Isn't there some methodology for preventing either the sending of/or viewing of this data?

Re: Preventing posting of data with Tamper Data

Posted: Thu Mar 19, 2009 9:47 am
by kaisellgren
bulgin wrote:thanks for your reply. I think you know what I would like to do - stop a user who is using Tamper Data or equivalent from being able to see the values being passed to the browser. In some cases in this application the person using Tamper Data (okay it's lame, but people use it hack stuff) can see the field names and hard-coded values in those fields. Isn't there some methodology for preventing either the sending of/or viewing of this data?
HTTP is a stateless connection between the client and the server. Regardless of what you do, the client can send any data he wishes. It is then up to the server to decide how to handle the data.

Re: Preventing posting of data with Tamper Data

Posted: Thu Mar 19, 2009 9:53 am
by bulgin
Understood. But if the person behind the client cannot SEE the names of the fields they are less likely to know WHAT to send, n'est pa?

You are telling me there is no way to hide from the eyeballs of the user the name of fields that a tool like Tamper Data reveals?

Re: Preventing posting of data with Tamper Data

Posted: Thu Mar 19, 2009 10:04 am
by kaisellgren
bulgin wrote:But if the person behind the client cannot SEE the names of the fields they are less likely to know WHAT to send
The person can always see "the names of the fields" if he wants. It's all about how skilled he is.
bulgin wrote:You are telling me there is no way to hide from the eyeballs of the user the name of fields that a tool like Tamper Data reveals?
What do you exactly refer to when you use that "the names of the fields"? Form fields? How could you "hide" them? You directly tell the client the details, if you do not, he will never submit anything to you..

Re: Preventing posting of data with Tamper Data

Posted: Thu Mar 19, 2009 10:22 am
by bulgin
Have you ever actually used 'Tamper Data' or something equivalent? It's rather clear what I'm referring to.

The fields, their actual names not the human-friendly field name used in the form -- those placeholders used in something like MySQL or equivalent to hold user input values -- are revealed to the person using Tamper Data.

Clearly if someone is going to force input to over-ride the hard-coded values they need to know the name of the field in the MySQL database. If the name in the MySQL database for a last name is:

58JlwWxuYVj and not last_name

they are going to have a more difficult time getting the data into the database. With some of the programs like tamper data the actual field name is revealed.

I simply want to hide that.

Wouldn't ssl do that?

Re: Preventing posting of data with Tamper Data

Posted: Thu Mar 19, 2009 10:41 am
by kaisellgren
bulgin wrote:Have you ever actually used 'Tamper Data' or something equivalent? It's rather clear what I'm referring to.
No, I just use cURL to do whatever I want to do.
bulgin wrote:The fields, their actual names not the human-friendly field name used in the form -- those placeholders used in something like MySQL or equivalent to hold user input values -- are revealed to the person using Tamper Data.
Human-friendly names?
bulgin wrote:Clearly if someone is going to force input to over-ride the hard-coded values they need to know the name of the field in the MySQL database.
No one can override server-side hard-coded values unless you have other vulnerabilities in your application.
bulgin wrote:If the name in the MySQL database for a last name is: 58JlwWxuYVj and not last_name
Bear in mind, obscurity is a protection, not a defense.
bulgin wrote:Wouldn't ssl do that?
It encrypts the transmission.

Re: Preventing posting of data with Tamper Data

Posted: Thu Mar 19, 2009 1:04 pm
by bulgin
Let me paint this picture and perhaps it will be more clear what I would like to do (and this is just an example):

If I go to somebank.com and login and bring up their form and fill it in and submit it all the while using tamper data to view the submission process, there are NO FIELD names listed in the tamper data application. A user cannot therefore surmise the structure of their database and use it for malicious means.

If I go to mysite.com and login and bring up my php form and fill it in and submit it all the while using tamper data to view the submission process, there are FIELD NAMES listed that correspond very nicely the field names in my backend database.

The question stands: how does one do what somebank.com does? What are the general principals behind obfuscating their data?

I don't understand why this question is so difficult to understand? :banghead:

Re: Preventing posting of data with Tamper Data

Posted: Thu Mar 19, 2009 1:18 pm
by kaisellgren
What exactly are you trying to protect from?

Re: Preventing posting of data with Tamper Data

Posted: Thu Mar 19, 2009 1:26 pm
by crazycoders
I think it is quite simple to fix your problem but just as complex at the same time.

Kai... tsss you are making this so hard for him :P

Ok so to fix your problem just change the name of the fields that are outputted and read from the script. But that won't prevent the user from tampering with the data. Rule of thumb is that if a value is to be read only, don't update it from your script. That would make a first barrier of propection.

The golden rule with any programming, mostly web programming since you can tamper with the posted data soooo easily is to:
1. ALWAYS VALIDATE THE CONTENT YOU RECEIVE.

The second rule is
2. DO NOT REINVENT THE WHEEL.

So, at the light of this:
1. If you send data to a client in a form, try to shield the implementations of your database by changing the names of the fields.

2. If you have data you don't want to be updated, then don't update it in the database whatever the case is. Why place them in the update statement if you didn't intend the user to update them.

3. Make sure the data sent back by the client is always in the best form possible. If you don't verify because you think the data is allright because you checked it on the last postback then WRONG. Anyone can change the posted data that they send back on their second pass even if the field is hidden from view and that's where new PHP programmers make the most errors, they assume the data is allright. IT IS NEVER RIGHT TO ASSUME IN PROGRAMMING :P

Have a nice day!

Re: Preventing posting of data with Tamper Data

Posted: Thu Mar 19, 2009 2:52 pm
by bulgin
thank you. thank you. thank you.

Now I have something I can chew on. Let's see, the part about not putting them in the update statement if you didn't intend the user to update them makes total sense.

Can you give me a simple example, though on the php syntax for "shielding the implementations of your database by changing the names of the fields"?

How does one go about changing the names of the fields in one instance for viewing, then back again for the original name so the data can be updated into the database?

But thanks for your input. It is much appreciated! :D

Re: Preventing posting of data with Tamper Data

Posted: Thu Mar 19, 2009 3:04 pm
by crazycoders
Hummmm ok lets assume the following table schema:

Code: Select all

 
id INT UNSIGNED NOT NULL,
ReadOnly VARCHAR(50) NOT NULL,
UserName VARCHAR(50) NOT NULL,
LastUpdate DATETIME
 
My guess is you are creating a form like this:

Code: Select all

 
<form name="myform" id="myform" method="post" action="handler.php">
    <input type="hidden" name="readonly" value="some_secret_readonly_value" />
    <table>
        <tr>
            <td>Username</td>
            <td><input type="text" name="username" id="username" value="Please enter your username" /></td>
        </tr>
        <tr>
            <td>&nbsp;</td>
            <td><input type="submit" name="submit" id="submit" value="Submit" /></td>
        </tr>
    </table>
</form>
 
Now, in your code you probably reference the $_POST['username'] and put it in your database query like so:

Code: Select all

 
$query = 'UPDATE mytable SET username = "'.mysql_real_escape_string($_POST['username']).'", readonly = "'.$_POST['readonly'].'" WHERE id = '.$_POST['id']
 
Well that is wrong... you don't need to update readonly and what prevents you from changing the username field name to yourusername? So, your form would look like this:

Code: Select all

 
<form name="myform" id="myform" method="post" action="handler.php">
    <table>
        <tr>
            <td>Username</td>
            <td><input type="text" name="your_username" id="your_username" value="Please enter your username" /></td>
        </tr>
        <tr>
            <td>&nbsp;</td>
            <td><input type="submit" name="submit" id="submit" value="Submit" /></td>
        </tr>
    </table>
</form>
And your update code should look like this:

Code: Select all

 
$query = 'UPDATE mytable SET username = "'.mysql_real_escape_string($_POST['your_username']).'" WHERE id = '.mysql_real_escape_string($_POST['id'])
 
Ok, don't flamme me everyone, its really beginner stuff i just wrote. Note that you should first of all check that the session has not be tampered with, validate all the values, for example, a user is not changing the ID and updating another row than was originally expected and such, but i'll leave that to you.

I hope it anwsers your question, i can't really be more precise than that i guess.

Re: Preventing posting of data with Tamper Data

Posted: Thu Mar 19, 2009 3:12 pm
by bulgin
That is enormously helpful and I thank you.

Beginners need to learn too, you know.

Thanks!

Re: Preventing posting of data with Tamper Data

Posted: Thu Mar 19, 2009 3:42 pm
by kaisellgren
bulgin wrote:Beginners need to learn too, you know.
I think you should read some books and online tutorials...?