I've been trying to come up with a way to ensure user input is coming
from the form on my site, and not auto-submitted from elsewhere, and I
don't want to use the "enter the code shown in the image" method. I know
the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of
doing something similar to this:
<?php
session_start() ;
$code = mt_rand(0,10000 00);
$_SESSION['code'] = $code;
?>
Then in my form have:
<input type="hidden" name="originato r" value="<?=$code ?>">
On the page receiving the form:
<?php
session_start() ;
if(isset($_POST['originator'])) {
if($_POST['originator'] == $_SESSION['code']) {
// process the form
}
}
?>
I'm looking for feedback on this method. Do you think this is an
effective way to ensure the input you're receiving is indeed from your
form? Obviously, the random code key will be visible to the client, but
without the matching session variable, it will be useless.
Your thoughts?
Scott 27 2583
Scott wrote: I've been trying to come up with a way to ensure user input is coming from the form on my site, and not auto-submitted from elsewhere, and I don't want to use the "enter the code shown in the image" method. I know
Even using a captcha (enter code shown in image) you can not be 100%
certain that the form posted was from your site...
the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of doing something similar to this:
<snip>
I'm looking for feedback on this method. Do you think this is an effective way to ensure the input you're receiving is indeed from your form? Obviously, the random code key will be visible to the client, but without the matching session variable, it will be useless.
Great for protecting against CSRF, but you can still "submit" the form
without opening your site up in a browser.
The session/token can be gotten around with things like curl. This is
the same method that Chris Shiflett outlined in his Essential PHP
Security book (phpsecurity.or g) in Chapter 2.
By all means, use this method, but don't forget that you also need to
check that all the fields you expect are there, that you don't use any
fields that shouldn't be there, and that you filter all input and escape
all output.
Scott wrote: I've been trying to come up with a way to ensure user input is coming from the form on my site, and not auto-submitted from elsewhere, and I don't want to use the "enter the code shown in the image" method. I know the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of doing something similar to this:
<?php session_start() ; $code = mt_rand(0,10000 00); $_SESSION['code'] = $code; ?>
Then in my form have: <input type="hidden" name="originato r" value="<?=$code ?>">
On the page receiving the form:
<?php session_start() ; if(isset($_POST['originator'])) { if($_POST['originator'] == $_SESSION['code']) { // process the form } } ?>
I'm looking for feedback on this method. Do you think this is an effective way to ensure the input you're receiving is indeed from your form? Obviously, the random code key will be visible to the client, but without the matching session variable, it will be useless.
Your thoughts?
Scott
Yes, that's precisely what you want to do. The function uniqid() can
also be used to generate the random key.
A check on HTTP_REFERER is actually sufficient too, since ordinary
users aren't going to be spoofing the Referer headers.
Chung Leong wrote: A check on HTTP_REFERER is actually sufficient too, since ordinary users aren't going to be spoofing the Referer headers.
Anyone that is running a firewall program like Norton's Personal
Firewall won't send the referrer... There are a number of web proxies
out there that do the same. Don't even bother with the HTTP_REFERER for
anything.
Thanks for the feedback guys. I know not to rely on HTTP_REFERER. I
think the plan is to use a combination of the method I described
earlier, along with filtering the input with regular expressions to
ensure I'm only getting valid data.
This is for a contact form, so if you can think of any more obvious
holes I need to watch for, let me know.
Thanks again!
Scott
Scott wrote: I've been trying to come up with a way to ensure user input is coming from the form on my site, and not auto-submitted from elsewhere, and I don't want to use the "enter the code shown in the image" method. I know the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of doing something similar to this:
<?php session_start() ; $code = mt_rand(0,10000 00); $_SESSION['code'] = $code; ?>
Then in my form have: <input type="hidden" name="originato r" value="<?=$code ?>">
On the page receiving the form:
<?php session_start() ; if(isset($_POST['originator'])) { if($_POST['originator'] == $_SESSION['code']) { // process the form } } ?>
I'm looking for feedback on this method. Do you think this is an effective way to ensure the input you're receiving is indeed from your form? Obviously, the random code key will be visible to the client, but without the matching session variable, it will be useless.
Your thoughts?
Scott
Justin Koivisto wrote: Chung Leong wrote: A check on HTTP_REFERER is actually sufficient too, since ordinary users aren't going to be spoofing the Referer headers.
Anyone that is running a firewall program like Norton's Personal Firewall won't send the referrer... There are a number of web proxies out there that do the same. Don't even bother with the HTTP_REFERER for anything.
If HTTP_REFERER is empty, then bypass the test. Really, one should
consider each scenario carefully instead of just blindly repeating some
axiom. In this case, making cross-site posting not functional a
majority of the times is sufficient in deterring sites from doing it.
>I've been trying to come up with a way to ensure user input is coming from the form on my site, and not auto-submitted from elsewhere, and I
Why? What are you *really* trying to accomplish?
If the original objective was to drain the swamp, and you find
yourself assigning Social Security numbers to alligators chomping
your ass to limit them to one bite each, you need to step back and
re-evaluate what you are doing.
Remember, if a browser can return the values of hidden fields and/or
cookies, so can bots. CURL is pretty good at this.
If the original objective is for the browser to not bypass
the input field checking done by Javascript, you're toast anyway,
as Javascript can be Turned Off(tm). You need the checks
server-side anyway.
Captchas can be defeated by outsourcing the task to humans (often
unwitting dupes). The bot writer puts up a web page offering
something "valuable", say, free porn, and sends responders the same
captcha you sent the bot. They respond with the code to get their
free porn. Actually providing the porn is optional. I believe I
have heard of spammers actually using this technique. But for
someone to bother with this, you have to be protecting something
valuable to the bot.
I didn't see any code to prevent the bot from doing the equivalent
of "SUBMIT, BACK, repeat". Even if you put that code in, you still
have a problem. If the original objective is to stop the bots from
pounding your server, there's nothing preventing them from getting
a new page from your server with the funky code on that, then
submitting it, thereby doubling the number of hits on your server.
You're really going to have trouble if the bot does the equivalent
of Go to URL, get page, submit it with values filled in, forget
all session cookies, and repeat. This looks like a bunch of people
with different browsers all visiting your page.
If the original problem is to prevent ballot-box stuffing in a vote
or a poll, you're stuck with one of two basic methods: (a) issue
credentials to voters and make sure credentials can only be used
once, or (b) try to identify users on the fly by some characteristic
of their computer, such as IP address, browser ID string, cookie,
or some combination of these, all of which have problems with both
excluding legitimate voters and allowing cheaters. It's going to
be difficult to get a reliable vote or survey if you don't use
method (a), but this may require effort like a professional survey
firm uses. (b) is doomed to failure, but you can try to make
cheating non-trivial. Remember, a dedicated fan determined to stuff
a ballot box can cast thousands of ballots a day MANUALLY.
don't want to use the "enter the code shown in the image" method. I know the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of
The most serious problem with 'HTTP_REFERER' is that there are lots
of users who can't UN-block it to save their lives. Perhaps it's
their own firewall, but they don't know how to configure it. Perhaps
it's an office firewall.
Then there's the hardcore bad guys who can spoof it.
doing something similar to this:
<?php session_start( ); $code = mt_rand(0,10000 00); $_SESSION['code'] = $code; ?>
Then in my form have: <input type="hidden" name="originato r" value="<?=$code ?>">
On the page receiving the form:
<?php session_start( ); if(isset($_POS T['originator'])) { if($_POST['originator'] == $_SESSION['code']) { // process the form } } ?>
I'm looking for feedback on this method. Do you think this is an effective way to ensure the input you're receiving is indeed from your form?
Ensuring that the input is from your form is meaningless, a lot
like preventing air disasters by permitting only *LICENSED* bombs
on board. WHat are you REALLY trying to accomplish?
Obviously, the random code key will be visible to the client, but without the matching session variable, it will be useless.
The client can submit both the random code key with the form AND
pass through the session cookie. Browsers do this quite well.
It's not that hard for a bot to do it (see CURL).
Your thoughts?
CURL is very good at fetching a URL, picking up a cookie from it,
and using it to submit the form it fetched.
Gordon L. Burditt
It's just a contact form. The end result will be emailed, and possibly
stored in a database. It's no gateway into bank accounts or anything
along those lines. I had already planned on filtering the data with
regular expressions, strip_tags(), etc. when I thought of the
aforementioned $_SESSION['code'] method, and just wanted to bounce the
idea off of the group.
I liked your alligator analogy, though. Thanks for that!
Scott
Gordon Burditt wrote: I've been trying to come up with a way to ensure user input is coming
from the form on my site, and not auto-submitted from elsewhere, and I
Why? What are you *really* trying to accomplish?
If the original objective was to drain the swamp, and you find yourself assigning Social Security numbers to alligators chomping your ass to limit them to one bite each, you need to step back and re-evaluate what you are doing.
Remember, if a browser can return the values of hidden fields and/or cookies, so can bots. CURL is pretty good at this.
If the original objective is for the browser to not bypass the input field checking done by Javascript, you're toast anyway, as Javascript can be Turned Off(tm). You need the checks server-side anyway.
Captchas can be defeated by outsourcing the task to humans (often unwitting dupes). The bot writer puts up a web page offering something "valuable", say, free porn, and sends responders the same captcha you sent the bot. They respond with the code to get their free porn. Actually providing the porn is optional. I believe I have heard of spammers actually using this technique. But for someone to bother with this, you have to be protecting something valuable to the bot.
I didn't see any code to prevent the bot from doing the equivalent of "SUBMIT, BACK, repeat". Even if you put that code in, you still have a problem. If the original objective is to stop the bots from pounding your server, there's nothing preventing them from getting a new page from your server with the funky code on that, then submitting it, thereby doubling the number of hits on your server.
You're really going to have trouble if the bot does the equivalent of Go to URL, get page, submit it with values filled in, forget all session cookies, and repeat. This looks like a bunch of people with different browsers all visiting your page.
If the original problem is to prevent ballot-box stuffing in a vote or a poll, you're stuck with one of two basic methods: (a) issue credentials to voters and make sure credentials can only be used once, or (b) try to identify users on the fly by some characteristic of their computer, such as IP address, browser ID string, cookie, or some combination of these, all of which have problems with both excluding legitimate voters and allowing cheaters. It's going to be difficult to get a reliable vote or survey if you don't use method (a), but this may require effort like a professional survey firm uses. (b) is doomed to failure, but you can try to make cheating non-trivial. Remember, a dedicated fan determined to stuff a ballot box can cast thousands of ballots a day MANUALLY.
don't want to use the "enter the code shown in the image" method. I know the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of
The most serious problem with 'HTTP_REFERER' is that there are lots of users who can't UN-block it to save their lives. Perhaps it's their own firewall, but they don't know how to configure it. Perhaps it's an office firewall.
Then there's the hardcore bad guys who can spoof it.
doing something similar to this:
<?php session_start (); $code = mt_rand(0,10000 00); $_SESSION['code'] = $code; ?>
Then in my form have: <input type="hidden" name="originato r" value="<?=$code ?>">
On the page receiving the form:
<?php session_start (); if(isset($_PO ST['originator'])) { if($_POST['originator'] == $_SESSION['code']) { // process the form } } ?>
I'm looking for feedback on this method. Do you think this is an effective way to ensure the input you're receiving is indeed from your form?
Ensuring that the input is from your form is meaningless, a lot like preventing air disasters by permitting only *LICENSED* bombs on board. WHat are you REALLY trying to accomplish?
Obviously, the random code key will be visible to the client, but without the matching session variable, it will be useless.
The client can submit both the random code key with the form AND pass through the session cookie. Browsers do this quite well. It's not that hard for a bot to do it (see CURL).
Your thoughts?
CURL is very good at fetching a URL, picking up a cookie from it, and using it to submit the form it fetched.
Gordon L. Burditt
Chung Leong wrote: Scott wrote:
I've been trying to come up with a way to ensure user input is coming from the form on my site, and not auto-submitted from elsewhere, and I don't want to use the "enter the code shown in the image" method. I know the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of doing something similar to this:
<?php session_start (); $code = mt_rand(0,10000 00); $_SESSION['code'] = $code; ?>
Then in my form have: <input type="hidden" name="originato r" value="<?=$code ?>">
On the page receiving the form:
<?php session_start (); if(isset($_PO ST['originator'])) { if($_POST['originator'] == $_SESSION['code']) { // process the form } } ?>
I'm looking for feedback on this method. Do you think this is an effective way to ensure the input you're receiving is indeed from your form? Obviously, the random code key will be visible to the client, but without the matching session variable, it will be useless.
Your thoughts?
Scott
Yes, that's precisely what you want to do. The function uniqid() can also be used to generate the random key.
A check on HTTP_REFERER is actually sufficient too, since ordinary users aren't going to be spoofing the Referer headers.
In addition to what Justin said - if someone DOES want to spoof your
site, they will set HTTP_REFERER to your site. That check is worthless.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Jerry Stuckle wrote: In addition to what Justin said - if someone DOES want to spoof your site, they will set HTTP_REFERER to your site. That check is worthless.
I think you misunderstand the problem. Here's how an
auto-form-submission attack works:
1. Victim logs into site A
2. Victim is fooled into going to site B
3. Page at site B has a prefilled form targetting a script at site A.
Through Javascript the form is submitted without any intervention from
the victim.
4. The POST request arrives at site A and is processed as though the
victim has filled and submitted.
The solution proposed by the OP would stop this type of attacks but it
has to be implemented on every form. A check on the referer header
offers incomplete protection but can be easily implemented as a global
check.
In this scenario, it's the victim's computer which is making the POST,
thus spoofing isn't a real concern. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Rudi Groenewald |
last post by:
Hi there...
I use SQL server integrated security so when a user opens a database in
access it prompts the username & password in a small popup box on
connection, but I'd like to use my own customised form for the
authentication process, is this possible? I do know that this login popbox
is displayed before any forms are loaded, can it be said that on database
conenct that the form is opened? How will I transfer the values entered into...
|
by: dvorett |
last post by:
I have a form in my database that is password protected, and several
forms contain buttons that open the password protected page. Each
button asks for the password, but I dont want access to ask the user
for the password if the form that is protected is already open. Is
there a way to do this?
Thanks
Dan
|
by: |
last post by:
I am having trouble figuring out to call a database INSERT procedure from a
simple submit form.
It appears I should use the onclick event to trigger the procedure called
BUT when I do this I receive this error:
'btnInsert_Click' is not a member of 'ASP.Insert_aspx'.
I realise the procedure is houwsed in a sub which may be what is
causing the problem, but I am stumped on how to connect the form to the .NET
|
by: pd123 |
last post by:
I'm new to C# and .net and I'm trying to create a form that will register users in a sql server database. I have the following code but when I run the code I get an error "
The name 'Peter' is not permitted in this context. Only constants, expressions, or variables allowed here. Column names are not permitted.
Where Peter is the value entered in the textbox for firstname (fnameTBox)
I'm sure the problem is something obvious but I...
|
by: Budhi Saputra Prasetya |
last post by:
Hi,
I managed to create a Windows Form Control and put it on my ASP .NET page. I
have done the suggestion that is provided by modifying the security settings.
From the stack trace, I would assume that the code throws exception when it
is trying to retrieve the processes list that has certain name. Below is the
code that I use to retrieve the processes.
Process processes = Process.GetProcessesByName("xxxx");
| |
by: Spycat |
last post by:
Hi all and happy holidays!
I should start off by stating I am NOT a PHP programmer.
I say that so that in any response to me, you will speak very s-l-o-w-l-y or I won't know what you're talking about ;-)
I have this form processor script that I basically pieced together from 3 different scripts.
The script includes a CAPTCHA image verification, which works fine.
The problem I am having is that when the form is processed, the results...
|
by: Parasyke |
last post by:
Can anyone coach me in a custom log-in screen? I have a table set up
with users and a password. So basically the user sign in form would
authenticate the user
and password (IF - Then). What I need help with is how to write the SQL
that verifies the User-Password relationship from the table.
Pseudo-Code would be something like:
"If User and Password MATCH
Then Allow them in"
The SQL syntax has me stumped...
Any ideas? Thanks in...
|
by: klenwell |
last post by:
Another request for comments here.
I'd like to accomplish something like the scheme outlined at this page
here:
http://tinyurl.com/3dtcdr
In a nutshell, the form uses javascript to hash (md5) the password
field using a random one-time salt (nonce) -- generated by php and
pasted in the form -- that is then posted with the hashed password
|
by: Graham |
last post by:
I'm trying to write a CGI script in C#; it receives data from an HTML
form via the POST method, and tries to read the form data using
System.Environment.GetEnvironmentVariable(). Which is where I have a
problem. When I use a 32-bit build of the CGI script, everything works
swimmingly. But when I use a 64-bit build of the CGI script,
GetEnvironmentVariable() throws a System.Security.SecurityException
saying it doesn't have permission to...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |