Posted by Chung Leong on 03/10/06 17:56

Jerry Stuckle wrote:
> In addition to what Justin said - if someone DOES want to spoof your
> site, they will set HTTP_REFERER to your site. That check is worthless.

I think you misunderstand the problem. Here's how an
auto-form-submission attack works:

1. Victim logs into site A
2. Victim is fooled into going to site B
3. Page at site B has a prefilled form targetting a script at site A.
Through Javascript the form is submitted without any intervention from
the victim.
4. The POST request arrives at site A and is processed as though the
victim has filled and submitted.

The solution proposed by the OP would stop this type of attacks but it
has to be implemented on every form. A check on the referer header
offers incomplete protection but can be easily implemented as a global
check.

In this scenario, it's the victim's computer which is making the POST,
thus spoofing isn't a real concern.

• Next in forum: site help
• Prev in forum: Re: getting other webpage results in to php page
• Thread view: Re: Form Security

[Reply to this message]