Re: Form Security

From: "Chung Leong" <chernyshevsky@xxxxxxxxxxx>
Date: 10 Mar 2006 07:56:43 -0800

Jerry Stuckle wrote:

In addition to what Justin said - if someone DOES want to spoof your
site, they will set HTTP_REFERER to your site. That check is worthless.

I think you misunderstand the problem. Here's how an
auto-form-submission attack works:

1. Victim logs into site A
2. Victim is fooled into going to site B
3. Page at site B has a prefilled form targetting a script at site A.
Through Javascript the form is submitted without any intervention from
the victim.
4. The POST request arrives at site A and is processed as though the
victim has filled and submitted.

The solution proposed by the OP would stop this type of attacks but it
has to be implemented on every form. A check on the referer header
offers incomplete protection but can be easily implemented as a global
check.

In this scenario, it's the victim's computer which is making the POST,
thus spoofing isn't a real concern.

.

Follow-Ups:
- Re: Form Security
  - From: Jerry Stuckle

References:
- Form Security
  - From: Scott
- Re: Form Security
  - From: Chung Leong
- Re: Form Security
  - From: Jerry Stuckle

Prev by Date: Re: getting other webpage results in to php page
Next by Date: site help
Previous by thread: Re: Form Security
Next by thread: Re: Form Security
Index(es):
- Date
- Thread

Relevant Pages

Re: Form Security
... auto-form-submission attack works: ... Victim is fooled into going to site B ... Much more common or 'bots which fake the user and post forms. ... JDS Computer Training Corp. ...
(comp.lang.php)
Re: Who is Jesus
... But so is the victim. ... But we can't force-feed the victim with pork, ... I see no reason not to feed the convicts with it... ... I believe you misunderstand. ...
(uk.radio.amateur)