Re: Form Security

---

• From: Jerry Stuckle <jstucklex@xxxxxxxxxxxxx>
• Date: Fri, 10 Mar 2006 13:33:27 -0500

---

Chung Leong wrote:

Jerry Stuckle wrote:

In addition to what Justin said - if someone DOES want to spoof your
site, they will set HTTP_REFERER to your site. That check is worthless.

I think you misunderstand the problem. Here's how an
auto-form-submission attack works:

1. Victim logs into site A
2. Victim is fooled into going to site B
3. Page at site B has a prefilled form targetting a script at site A.
Through Javascript the form is submitted without any intervention from
the victim.
4. The POST request arrives at site A and is processed as though the
victim has filled and submitted.

The solution proposed by the OP would stop this type of attacks but it
has to be implemented on every form. A check on the referer header
offers incomplete protection but can be easily implemented as a global
check.

In this scenario, it's the victim's computer which is making the POST,
thus spoofing isn't a real concern.

I know *exactly* how auto-form-submission works. In fact, from your posts here I expect I know a lot more about it than you do. I've been in this field too many years. What you describe is only *one way* it can happen. And it's not even the most common.

Much more common or 'bots which fake the user and post forms. They can set anything they want in the headers, including HTTP_REFERER.

Another way is to act as a kind of proxy - intercepting the data as it flows between the user and the site, changing the HTTP_REFERER and anything else they want (unless you're using SSL).

And this is only the beginning of the number of ways it can be spoofed. It is NOT a reliable source of information!


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.

---

• Follow-Ups:
  • Re: Form Security
    • From: Chris Shiflett
  • Re: Form Security
    • From: Chung Leong

• References:
  • Form Security
    • From: Scott
  • Re: Form Security
    • From: Chung Leong
  • Re: Form Security
    • From: Jerry Stuckle
  • Re: Form Security
    • From: Chung Leong

• Prev by Date: Re: include part of a text file
• Next by Date: Re: site help
• Previous by thread: Re: Form Security
• Next by thread: Re: Form Security
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: what guns have done to america ... >> Maybe you can't grasp this because it requires common ... If a criminal has a choice when picking a victim ... If a robber attacks you from behind what are you gonna ... (talk.politics.guns) Re: Form Security ... I think you misunderstand the problem. ... auto-form-submission attack works: ... Victim is fooled into going to site B ... The POST request arrives at site A and is processed as though the ... (comp.lang.php) Houdini to escape from grave ... Seems there are some who now think ol' uncle Harry was the victim of foul ... play. ... The common belief that he succumbed to a ruptured appendix after ... (misc.writing) Re: WayOT death markers ... Nor I. They're quite common here, and quite often bear the first name ... of the victim. ... Joe F. ... (rec.outdoors.fishing.fly)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)