| Re: Validate Radio Buttons? [message #182397 is a reply to message #182386] |
Fri, 02 August 2013 23:51   |
bill
Messages: 310
Registered: October 2010
Karma:
|
Senior Member |
|
|
On 2013-08-01 9:25 PM, Christoph Michael Becker wrote:
> Jerry Stuckle wrote:
>
>> On 8/1/2013 5:16 PM, Twayne wrote:
>>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> > Hi all,
>>>> >
>>>> > I was wondering what the general consensus might be on this:
>>>> >
>>>> > Should one Validate Radio Buttons for an online website contact form?
>>>> >
>>> ...
....
>
> To better understand potential exploits, you may start with RFC 2616,
> the specification of HTTP/1.1[1]. Then you may go along doing some
> simple telnet sessions, e.g.
>
> $ telnet example.com 80
> Trying 93.184.216.119...
> Connected to example.com.
> Escape character is '^]'.
> GET / HTTP/1.1
> Host: example.com
>
> HTTP/1.1 200 OK
> [...]
>
> You may augment your understanding of the HTTP protocol by inspecting
> the HTTP headers that are actually sent and received by a browser (for
> instance, Firefox has Tools->Live HTTP headers). You may reconstruct
> some requests done from the browser with telnet, where you may change
> some of the header fields, watching the results. A trivial example:
> create a file test.php and put it in the web root of your localhost:
>
> <?php
>
> echo $_SERVER['HTTP_HOST'];
>
> Then do:
>
> $ telnet localhost 80
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET /test.php HTTP/1.1
> Host: surprise
>
> HTTP/1.1 200 OK
> Date: Fri, 02 Aug 2013 01:13:23 GMT
> Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
> X-Powered-By: PHP/5.4.7
> Content-Length: 8
> Content-Type: text/html
>
> surprise
>
> Finally you may simplify and automate such requests by using cURL[2] or
> the PHP cURL extension[3], for example.
>
>> No problem at all. I just build a page on my site (or locally if I have
>> a web server installed) and have the form's action= point at the script
>> on your site. I can place anything I want on the page and it will be
>> sent to your script.
>>
>> There is nothing which requires input to your site to come from a form
>> on your site. It can come from anywhere - something hackers use to
>> their advantage.
>
> As Twayne is checking the referrer, you'd have to spoof that too. Of
> course that is no big deal either, but it should be noted.
>
> [1] <http://tools.ietf.org/html/rfc2616>
> [2] <http://curl.haxx.se/>
> [3] <http://php.net/manual/en/book.curl.php>
>
Hmm, good post Chris! I'll see where that takes me.
Thanks
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]