0

I have a public form that publish POST data to a PHP script.

This form is not located on the same domain, and doesn't use PHP either so the protection cannot be built around PHP session.

The goal is to allow only this form to post on that PHP script.

How do I provide more security for checking source of the request tells how to implement CSRF protection using PHP session but I wonder how I could do to protect mine without it? Is it possible?

Community
  • 1
  • 1
martin-h
  • 69
  • 1
  • 8

1 Answers1

1

POST requests are harder to fake compared to GET requests, so you have that going for you, which is nice. Just make sure you're not using $_REQUEST in your script.

You cannot use sessions here, but the principles are the same - you gotta implement some kind of a "handshake" between a form and your PHP script. There are a few different approaches if sessions are not an option.

The simplest thing to do would be to check http referrers. This will not work if the form is on http and script is under https, and also can be overcome using open redirect vulnerability.

Another way to go would be captchas. I know, not user friendly or fashionable these days, but that would make request forgery much harder, as hacker could not make his exploit work behind the scenes without any user input. You should look into reCAPTCHA (google's "I am not a robot" checkbox): https://www.google.com/recaptcha/intro/index.html

This is a tricky situation, because form on one host and script on another is basically CSRF in itself, so you want to allow it but only for one host. Complete security without any user interaction might be impossible here, so just try to make it as hard as possible for a would-be hacker to mess with your script, or suffer on the UX side. Personally i would go with reCAPTCHA.

Tadas Paplauskas
  • 1,863
  • 11
  • 15
  • Thank you for that very nice answer. About captcha, I don't understand: how it could protect direct accesses to the PHP processing script from non form/human attempts ? To me it is rather something that is implemented on form side, isn't it ? – martin-h May 26 '16 at 08:36
  • You verify the captcha in your script to find out if there's a human behind the form, regardless if you choose to implement it yourself or use an outside service such as reCAPTCHA. That means that you filter out any scripts pretending to be humans and avoid any "unintentional" calls to the form. – Tadas Paplauskas May 26 '16 at 08:38
  • To clarify, is the user himself wants to use the form on another host, he will do that anyway :). Captchas will help to protect against CSRF, which means a hacker tricking an user into submitting a form without his knowledge. CSRF definition and more: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet – Tadas Paplauskas May 26 '16 at 08:46