security - _Post from one site

rickyJ

from a securit point of view how is it possible to make sure that any post data only comes from one site (that you define)

for instance if I had a example/MyRegistrationForm.php, which posts to example2/MyUserCreation.php
How could I make sure that the data is only posted from example/MyRegistrationForm.php

I dont want to send this in the post request (since post request can be manipulated), i need to find a way for example2.MyUserCreation.php to know it come from example/MyRegistrationForm.php
Any ideas?

KarlBeK0d3r

hey there, simply use $HTTP_REFERER to match the URL of the page you should have come from.

Put the following code on the second file:

$trueReferer = "http://www.somesite.co.uk/example/MyRegistrationForm.php";
if($trueReferer==$HTTP_REFERER){
//PAGE CODE HERE
}else{
die("cheater");
}

Hope this helps

etully

First of all, it's impossible.

There are a half dozen ways that you can make it difficult for someone to post from anywhere else... and that might be enough for you... but since you used the magic phrase, "from a security point of view", you have to realize that no matter how hard you try, there's nothing you can do to make it 100% impossible to post to the page from some other site.

You can check the referrer variable which will stop average users from posting from anywhere but the real site. But that technique won't stop any of the hackers.

You can put a captcha test (or any other kind of test) and that will stop about 10% of the hackers (the dumb ones).

You have to think of it like this: The data shows up - it just arrives. Your web server was sitting around, waiting for something to do and then Boom! Data arrives. The web is stateless - you don't open and maintain a connection between your web site and the end user's machine.

If you really want to try, check the referrer variable. Also, embed a random number in the form (MyRegistrationForm.php) and write it to a database. Then on the processing page (MyUserCreation.php) when that number gets passed in, check your database to see if you actually did write that number to your database in the last few minutes. If so, then you can be sure that this user did actually visit the form before arriving at the creation page.

But let's say that you don't want me to automatically create a million users on your web site and you used those two tricks. Here's what I'd do: I'd write a script that visits your form, finds the random number, and then create a post (including the random number) and then use Curl to change my referrer variable and post to your User creation page. And then loop, so that I could make a million accounts.

So let's say you put a captcha on the page so that I can't automate the process. Fine, this slows me down so that I can't automate the process - but I can still use Curl to fake the referrer variable, manually provide the captcha, and then alter the value of anything I want in the post ($_REQUEST string), any way that I want. So while you have slowed me down, you haven't done anything to guarantee that I'm actually using your form and posting from your page and that the post came through unaltered.

MarkR

rickyJ wrote:
from a securit point of view how is it possible to make sure that any post data only comes from one site (that you define)

Depends how you mean "comes from".

If you mean, you want to prevent cross-site request forgery, that's relatively easy:

Create a random value and store it somewhere (e.g. in a database)
Put that random value in a hidden field
Require that when the form is POSTed, that random value is correct and the right one. Have a time limit (expiry), and make sure they're only allowed to be used once.

Now, of course, someone could make a web page which screen-scrapes your form and serves a modified version to the user- you can prevent that by doing some IP address check (But beware that this will fail for users who have multi-homed proxies).

You could audit carefully accesses to the form which generates these random values, to see if you can spot any patterns which could indicate screen-scraping (e.g. an unusually large number of requests coming from one IP, non-browser patterns etc).

Of course even the random-value and the IP address check could fail if someone is making a web site which screen-scrapes your form and also uses a server-server post (e.g. the form posts back to THEIR site, their server-side script does some processing then sends it, possibly modified, on to yours).

Doing this would be technically challenging, and you could easily IP-ban them. Log the IP address of every form submission and run regular intrusion detection reports - if a given IP is being used by many people, find out why, and consider IP-banning it.

Mark

etully

MarkR, you are correct that watching for multiple connections from a single IP would be a good way to spot fake posts... but there are bot-nets where a skilled hacker could post from 10,000 IP addresses around the Internet. While that may sound like an obscure situation, it's been happening to one of my clients for about two months.

Remember, you can't simply say "Well, I'm protected from 99.9999% of people on the Internet", because you're not trying to protect your site from the average Internet user who doesn't know what a bot-net is. If your site is worth hacking, you have to protect yourself against the smart hackers. That remaining .00001% of users can do an enormous amount of damage.

All this really boils down to the OP's actual reason for asking the question. Why do you care whether or not people post to your UserCreation.php from anywhere other than your actual forms page? What problem are you trying to fix? If you care because you think that you can prevent people from passing in altered data, then you're pursuing the wrong solution to the problem. If you're trying to prevent a hacker from opening tons of fake user accounts, then this solution is worth attempting but could still fail.

MarkR

Ok, so what they'd need would be:

A web site hosting a normal web server along with some clever scripting
A script which scrapes your form and serves back a modified version to the unsuspecting public, modifying any form fields as necessary, passing the POST parameters back via the same mechanism
To tunnel the traffic between their site and yours via a bot-net, which they'd need to buy and pay to continue to use (As botnet compromised machines are gradually cleaned, you need to continuously pay to buy newly compromised ones)

How much security do you really need?

Even if they had the financial resources to do all of this - pay the developers, buy access to the botnet etc - if you suspected them of doing it (say your user registrations jumped up dramatically, or your users reported the fake site) - you could easily take cheap, quick measures to make it much harder for them to continue to do so.

An ideal solution would be to use HTTPS and encourage your users to verify the legitimacy of your site - this makes a man-in-the-middle attack with a forged site quite tricky (The attackers can still post fake data to HTTPS, but it's harder for them to produce a convincing copy of your site).

Mark