|
Posted by Gordon Burditt on 10/13/40 11:40
>>>This allows you to be confident that the form was submitted from your
>>>site.
>>
>> Ok, define "submitted from your site".
>>
>> It is possible, and I've done this sort of thing on a site where I
>> had legitimate access, to fetch the form from your site, (using,
>> e.g. CURL) find the HTML for formToken, pick up the value, and pass
>> it as a parameter in the next request (again using CURL). Along
>> the way I can add in any other variables I want and not run any
>> Javascript on the page. Granted, this *does* load the form
>> from your site. And I'd have to be logged in to do it, if
>> that is needed to get to the page.
>
>I tried to do this before as well... Curl wouldn't hold the session id,
>so when the post came through, there was no $_SESSION['token'] set to
>compare against the $_POST['formToken']
Command-line CURL can and will save cookies (specifically the session
cookie) picked up from one request so you can use them in the next
request. I haven't tried using CURL from PHP, but I assume the
ability to do that is in there also, and the documentation seems
to support this. That should make the first request and the second
be in the same session.
Certainly, it's *possible* to do this, as a browser operated by a
human does it, and it doesn't require any abilities from the human
that are hard to automate (like reading CAPTCHAs).
What exactly are you trying to protect against here? You can protect
against stupid bots that just have the formula for what to submit
for your form, and just keep re-using it. Malicious humans operating
manually are going to be able to get around it easily.
>> Granted, it's not something your average spambot would do, but it
>> can be done.
>
>When I get in to the office, I'll set up a simple little form for
>testing this out again. However, the first tests I ran didn't work at
>all. Maybe I'll post the URL of the test form for others to take a try
>at. ;)
>
>PS - I'm sure I've mentioned this before, but the method I have been
>using comes from Chris Shiflett's "Essential PHP Secuirty," and I see
>that the chapter where this is introduced is available for download from
>the book's companion site: http://phpsecurity.org (chapter 2)
Gordon L. Burditt
Navigation:
[Reply to this message]
|