| Re: Validate Radio Buttons? [message #182387 is a reply to message #182386] |
Fri, 02 August 2013 02:10   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 8/1/2013 9:25 PM, Christoph Michael Becker wrote:
> Jerry Stuckle wrote:
>
>> On 8/1/2013 5:16 PM, Twayne wrote:
>>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> > Hi all,
>>>> >
>>>> > I was wondering what the general consensus might be on this:
>>>> >
>>>> > Should one Validate Radio Buttons for an online website contact form?
>>>> >
>>> ...
>>>
>>>>
>>>> Good practice means you ALWAYS validate ALL information from the user.
>>>> You may have a radio button on your form - but there is no guarantee the
>>>> request comes on from your form.
>>>>
>>>> I can easily build a page which has invalid information and submit it to
>>>> your site. Or even use tools like cURL to feed your site invalid
>>>> information.
>>>>
>>>
>>> Care to share the "how" of doing that, or better yet some code? This
>>> particular form isn't "live" yet or I'd put it somewhere and let you at
>>> it if I didn't have orders to the contrary from on-high :)
>>> I've done my best but it's obviously not enough or my questions
>>> wouldn't exist.
>
> To better understand potential exploits, you may start with RFC 2616,
> the specification of HTTP/1.1[1]. Then you may go along doing some
> simple telnet sessions, e.g.
>
> $ telnet example.com 80
> Trying 93.184.216.119...
> Connected to example.com.
> Escape character is '^]'.
> GET / HTTP/1.1
> Host: example.com
>
> HTTP/1.1 200 OK
> [...]
>
> You may augment your understanding of the HTTP protocol by inspecting
> the HTTP headers that are actually sent and received by a browser (for
> instance, Firefox has Tools->Live HTTP headers). You may reconstruct
> some requests done from the browser with telnet, where you may change
> some of the header fields, watching the results. A trivial example:
> create a file test.php and put it in the web root of your localhost:
>
I am *quite* familiar with the HTTP protocol, having worked with it for
close to 20 years. But there is no need to get into that level,
especially with a relative newbie like Twayne. It only confuses the issue.
A simple page with an HTML form what directs to the page is sufficient
to show how the page can be exploited.
> <?php
>
> echo $_SERVER['HTTP_HOST'];
>
> Then do:
>
> $ telnet localhost 80
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET /test.php HTTP/1.1
> Host: surprise
>
> HTTP/1.1 200 OK
> Date: Fri, 02 Aug 2013 01:13:23 GMT
> Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
> X-Powered-By: PHP/5.4.7
> Content-Length: 8
> Content-Type: text/html
>
> surprise
>
> Finally you may simplify and automate such requests by using cURL[2] or
> the PHP cURL extension[3], for example.
>
>> No problem at all. I just build a page on my site (or locally if I have
>> a web server installed) and have the form's action= point at the script
>> on your site. I can place anything I want on the page and it will be
>> sent to your script.
>>
>> There is nothing which requires input to your site to come from a form
>> on your site. It can come from anywhere - something hackers use to
>> their advantage.
>
> As Twayne is checking the referrer, you'd have to spoof that too. Of
> course that is no big deal either, but it should be noted.
>
> [1] <http://tools.ietf.org/html/rfc2616>
> [2] <http://curl.haxx.se/>
> [3] <http://php.net/manual/en/book.curl.php>
>
Yes, it is quite simple to check the referrer. However, that's a poor
thing to check, because it isn't a required field and may not be set.
Additionally, some firewalls/security products will strip the
HTTP_REFERER before sending the data (Norton has been famous for this in
the past - I don't know if they still do it).
The result is checking HTTP_REFERER will keep out more valid users than
it will block hackers.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]