|
Posted by Gordon Burditt on 10/16/67 11:39
>OK, instead of linking to the threads from before, here is an example
>again for protecting against spoofed form submissions:
>
><?php
>session_start();
>$_SESSION['token']=md5('secret string'.time());
>?>
><form method="post" action="process.php">
> <input type="hidden" name="formToken" value="<?php echo
>$_SESSION['token'] ?>" />
>....
></form>
>
>In the process.php:
><?php
>session_start();
>if( isset($_POST['formToken'])
> && isset($_SESSION['token'])
> && $_POST['formToken']==$_SESSION['token']
> ){
> // form submission legit
>}else{
> // spoofed form submit
>}
>?>
>
>
>This allows you to be confident that the form was submitted from your
>site.
Ok, define "submitted from your site".
It is possible, and I've done this sort of thing on a site where I
had legitimate access, to fetch the form from your site, (using,
e.g. CURL) find the HTML for formToken, pick up the value, and pass
it as a parameter in the next request (again using CURL). Along
the way I can add in any other variables I want and not run any
Javascript on the page. Granted, this *does* load the form
from your site. And I'd have to be logged in to do it, if
that is needed to get to the page.
Granted, it's not something your average spambot would do, but it
can be done.
>Of course, when doing defense in depth (as you should be), you'll
>also want to filter input and escape output...
>
>Anyway, I have yet to find a way to be able to spoof around this,
>including using javascript to attempt to read the token value from a
>remote site.
Gordon L. Burditt
[Back to original message]
|