| Re: Validate Radio Buttons? [message #182386 is a reply to message #182383] |
Fri, 02 August 2013 01:25   |
Christoph Michael Bec
Messages: 207
Registered: June 2013
Karma:
|
Senior Member |
|
|
Jerry Stuckle wrote:
> On 8/1/2013 5:16 PM, Twayne wrote:
>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> Hi all,
>>>>
>>>> I was wondering what the general consensus might be on this:
>>>>
>>>> Should one Validate Radio Buttons for an online website contact form?
>>>>
>> ...
>>
>>>
>>> Good practice means you ALWAYS validate ALL information from the user.
>>> You may have a radio button on your form - but there is no guarantee the
>>> request comes on from your form.
>>>
>>> I can easily build a page which has invalid information and submit it to
>>> your site. Or even use tools like cURL to feed your site invalid
>>> information.
>>>
>>
>> Care to share the "how" of doing that, or better yet some code? This
>> particular form isn't "live" yet or I'd put it somewhere and let you at
>> it if I didn't have orders to the contrary from on-high :)
>> I've done my best but it's obviously not enough or my questions
>> wouldn't exist.
To better understand potential exploits, you may start with RFC 2616,
the specification of HTTP/1.1[1]. Then you may go along doing some
simple telnet sessions, e.g.
$ telnet example.com 80
Trying 93.184.216.119...
Connected to example.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: example.com
HTTP/1.1 200 OK
[...]
You may augment your understanding of the HTTP protocol by inspecting
the HTTP headers that are actually sent and received by a browser (for
instance, Firefox has Tools->Live HTTP headers). You may reconstruct
some requests done from the browser with telnet, where you may change
some of the header fields, watching the results. A trivial example:
create a file test.php and put it in the web root of your localhost:
<?php
echo $_SERVER['HTTP_HOST'];
Then do:
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /test.php HTTP/1.1
Host: surprise
HTTP/1.1 200 OK
Date: Fri, 02 Aug 2013 01:13:23 GMT
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
X-Powered-By: PHP/5.4.7
Content-Length: 8
Content-Type: text/html
surprise
Finally you may simplify and automate such requests by using cURL[2] or
the PHP cURL extension[3], for example.
> No problem at all. I just build a page on my site (or locally if I have
> a web server installed) and have the form's action= point at the script
> on your site. I can place anything I want on the page and it will be
> sent to your script.
>
> There is nothing which requires input to your site to come from a form
> on your site. It can come from anywhere - something hackers use to
> their advantage.
As Twayne is checking the referrer, you'd have to spoof that too. Of
course that is no big deal either, but it should be noted.
[1] <http://tools.ietf.org/html/rfc2616>
[2] <http://curl.haxx.se/>
[3] <http://php.net/manual/en/book.curl.php>
--
Christoph M. Becker
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]