Re: PHP Passing Variables Between Pages and Security

This allows you to be confident that the form was submitted from your
site.

Ok, define "submitted from your site".

It is possible, and I've done this sort of thing on a site where I
had legitimate access, to fetch the form from your site, (using,
e.g. CURL) find the HTML for formToken, pick up the value, and pass
it as a parameter in the next request (again using CURL). Along
the way I can add in any other variables I want and not run any
Javascript on the page. Granted, this *does* load the form
from your site. And I'd have to be logged in to do it, if
that is needed to get to the page.

I tried to do this before as well... Curl wouldn't hold the session id,
so when the post came through, there was no $_SESSION['token'] set to
compare against the $_POST['formToken']

Command-line CURL can and will save cookies (specifically the session
cookie) picked up from one request so you can use them in the next
request. I haven't tried using CURL from PHP, but I assume the
ability to do that is in there also, and the documentation seems
to support this. That should make the first request and the second
be in the same session.

Certainly, it's *possible* to do this, as a browser operated by a
human does it, and it doesn't require any abilities from the human
that are hard to automate (like reading CAPTCHAs).

What exactly are you trying to protect against here? You can protect
against stupid bots that just have the formula for what to submit
for your form, and just keep re-using it. Malicious humans operating
manually are going to be able to get around it easily.

Granted, it's not something your average spambot would do, but it
can be done.

When I get in to the office, I'll set up a simple little form for
testing this out again. However, the first tests I ran didn't work at
all. Maybe I'll post the URL of the test form for others to take a try
at. ;)

PS - I'm sure I've mentioned this before, but the method I have been
using comes from Chris Shiflett's "Essential PHP Secuirty," and I see
that the chapter where this is introduced is available for download from
the book's companion site: http://phpsecurity.org (chapter 2)

Gordon L. Burditt
.

Relevant Pages

  • Re[2]: [PHP] XML API, libcurl, POST Help Needed
    ... JM> assuming curl doesn't do that for you ... ... compressed data transfer. ... the whole thing now works just by removing the urlencode all together. ... JM> you might consider point the curl request to a script you control, ...
    (php.general)
  • Re: PHP Passing Variables Between Pages and Security
    ... it as a parameter in the next request (again using CURL). ... Command-line CURL can and will save cookies (specifically the session ... What exactly are you trying to protect against here? ...
    (comp.lang.php)
  • Re: Problem relaying uploads
    ... print reverse($_); # reverse the line, ... Your curl command is totally wrong. ... and issue the request to the server. ...
    (comp.lang.perl.misc)
  • So let me get this straight about CURL
    ... In order to make an http request with PHP, ... In order to install CURL I have to upgrade my openssl rpm, ... To make php make an https request, you either have to do the entire ...
    (comp.lang.php)
  • Re: User control remember state across pages without session
    ... Its a shame Microsoft don't extend viewstate beyond a single page because it ... An HTTP Request is received by the web server. ... It sends a Response to the client. ... > Request for a Page comes from any client, the Session Collection has a new ...
    (microsoft.public.dotnet.framework.aspnet)