Posted by Justin Koivisto on 11/17/00 11:40

Gordon Burditt wrote:
> Justin Koivisto wrote:
>> Gordon Burditt wrote:
>>>
>>> It is possible, and I've done this sort of thing on a site where I
>>> had legitimate access, to fetch the form from your site, (using,
>>> e.g. CURL) find the HTML for formToken, pick up the value, and pass
>>> it as a parameter in the next request (again using CURL). Along
>>> the way I can add in any other variables I want and not run any
>>> Javascript on the page. Granted, this *does* load the form
>>> from your site. And I'd have to be logged in to do it, if
>>> that is needed to get to the page.
>>
>> I tried to do this before as well... Curl wouldn't hold the session id,
>> so when the post came through, there was no $_SESSION['token'] set to
>> compare against the $_POST['formToken']
>
> Command-line CURL can and will save cookies (specifically the session
> cookie) picked up from one request so you can use them in the next
> request. I haven't tried using CURL from PHP, but I assume the
> ability to do that is in there also, and the documentation seems
> to support this. That should make the first request and the second
> be in the same session.
>
> Certainly, it's *possible* to do this, as a browser operated by a
> human does it, and it doesn't require any abilities from the human
> that are hard to automate (like reading CAPTCHAs).
>
> What exactly are you trying to protect against here? You can protect
> against stupid bots that just have the formula for what to submit
> for your form, and just keep re-using it. Malicious humans operating
> manually are going to be able to get around it easily.

What am I protecting? Well, this is only a first line of defense for me.
From there, I compare vars that were submitted with ones that I expect
as well as filtering or validating the data for those vars. At first, it
was used prevent those darn spam bots from submitting all my forms and
sending me email without hindering an actual user. Again, this was/is
used in combination of other defense mechanisms as well.

--
Justin Koivisto, ZCE - justin@koivi.com
http://koivi.com

• Next in forum: PHP5 SOAP Attributes (Redux)
• Prev in forum: Re: PHP Passing Variables Between Pages and Security
• Thread view: Re: PHP Passing Variables Between Pages and Security

[Reply to this message]