1

I am a complete noob when it comes anything security, PHP, or session related but I'm curious as to why this won't work.

So let's say you have one php file that the user completes a form on, and then you POST the variables via ajax to another php file. (I understand that this isn't secure because any form made by an attacker could POST any variables to that file from another source.) But let's say you do this:

1.php

$ran = //generate randomized var

$.ajax({
    url :  "2.php",
    type: 'POST'
    //send $ran to 2.php called random
})

2.php

<?php

require '1.php';

$random = $_POST['random'];

if ($ran != $random){
  die();
} 
else 
{

//continue...

Why won't this be safe? Is it session related?

Scott
  • 11
  • 1
  • 1
    What you're referring to is know as a [nonce](http://stackoverflow.com/questions/5410238/how-to-check-if-a-request-if-coming-from-the-same-server-or-different-server) – Brett Gregson Jul 28 '16 at 17:21
  • @eskimo okay! thanks – Scott Jul 28 '16 at 17:28
  • @Scott and the vulnerability it addresses is a CSRF vulnerability. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) – ceejayoz Jul 28 '16 at 17:35

1 Answers1

1

When you talk about security, you have to discuss it in terms of attack vectors.

As mentioned in the comments, the strategy you mentioned above will mitigate CSRF attacks, where a user's browser is manipulated into submitting a request to your site which they did not intend to send.

However, if the user is the one attempting to exploit your site, your nonce is ineffective. For example - if I am logged into your site, and I want to attempt a SQL injection attack, I can take the generated nonce and submit it along with a crafted request of my choosing.

In short, the method you describe will not protect against malicious users who want to send arbitrary requests to your server.

Sam Dufel
  • 17,560
  • 3
  • 48
  • 51