php javascript getting past validation

Question

We have form pages where majority of the fields are required. We use JS to verify the data was entered before forwarding to a backend php app

This is the form tag we use

<form name="order" method="post" action="http://company.com/config/_process.php?" id="order" class="order">

"order" is inspected and a JQuery library is used to validate input:

$(document).ready(function(){
    $('#order').formValidation({
        ....
        .....

    });

If the required fields aren't entered the user is presented an "Alert". This has been working for years. But all of a sudden someone is hacking our sites and entering just some of the fields and getting past the JQuery validation.

I've since included checking if JS is eanbled ("<noscript>") and if not then don't render the page but they're getting past this too.

Not sure what I'm missing but how can you call an PHP app using form/action and getting past JS? When viewing the logs, the referrer is the landing page

Say landing page is: www.ourlandign.com/index.php (form page) form/action: http://company.com/config/_process.php

They're getting to http://company.com/config/_process.php from "www.outlanding.com/index.php

How can this be done? Thanks

client-side validation is never good enough. Anyone can hit your php without even executing your client-side code. How do you think the browser gets the client-side code? A form with an action attribute is a very easy target for spammers/vulternability crawlers. They can directly request the form's action bypassing any client-side validation. — Kevin B, Apr 17 '17 at 21:55
You also need to be checking for `empty`, `NULL` or `unwanted` fields in the "receiving" `PHP` .. This is best practice as anything `JS` can be manipulated in the browser -- `JS` validation should only be a "first line of defense" .. — Zak, Apr 17 '17 at 21:56
@Kevin B I understand that. But the app in the "action" has the referrer of the landing page; say action = www.company.com/process.php and referrer is www.company.com/landing-page.php, [HTTP_REFERER] for www.company.com/process.php is www.company.com/landing-page.php. Please explain how you can call the "action" and still have the referrer equal to the page that had the action? This is the part I don't understand especially since I have JS to prevent that — user20719, Apr 17 '17 at 22:12
@Ty Q. I wished I owned "company.com". Just using that as an example — user20719, Apr 17 '17 at 22:13
right. and where does the referrer come from? what sets it? https://en.m.wikipedia.org/wiki/Referer_spoofing — Kevin B, Apr 17 '17 at 23:10

score 0 · Answer 1 · answered Apr 17 '17 at 22:07

0

Client side validation is for normal users. If a malicious user wants to bypass the script then he can post your php page from their form or any other program. To handle the request you must add some server validation. I'm .NET developer and there are anti forgery tokens in asp.net forms. You can use similar forgery token or any kind of captcha in your form and use session variables for the captcha code. Hope this helps.

answered Apr 17 '17 at 22:07

Sefik Cevik

48
5

@Sefix Cevik That I understand but that wasn't my question. See my response to Kevin B. How do you call an app and the system variable HTTP_REFERER field in that app is the page that has the "action"? I can call any page using any tool like Fiddler, REST, etc., but to have the HTTP_REFERER equal the actual page that has the action I can't figure out. Example: www.company.com/a.php has a form tag
. Why does HTTP_REFERER = www.company.com/a.php in www.company.com/b.php???
– user20719 Apr 17 '17 at 22:32
HTTP_REFERER can also be changed. Check this thread. http://stackoverflow.com/questions/9580575/how-to-manually-set-referer-header-in-javascript – Sefik Cevik Apr 17 '17 at 22:41
Right, but I don't think is happening. dump of [SERVER] `Server data Array ( [CONTENT_LENGTH] => 220 [CONTENT_TYPE] => application/x-www-form-urlencoded [DOCUMENT_ROOT] => /home1/usera/public_html [GATEWAY_INTERFACE] => CGI/1.1 [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [HTTP_ACCEPT_CHARSET] => windows-1251,utf-8;q=0.7,*;q=0.7 [HTTP_ACCEPT_ENCODING] => gzip, deflate [HTTP_ACCEPT_LANGUAGE] => en,en-us;q=0.7,en;q=0.3 [HTTP_CONNECTION] => close [HTTP_HOST] => www.company.com [HTTP_REFERER] => http://landingpage.com/` – user20719 Apr 17 '17 at 22:55
Continued [SERVER] `[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 [HTTP_X_HTTP_PROTO] => HTTP/1.1 [HTTP_X_LOG_7530] => 109.163.234.8 [HTTP_X_REAL_IP] => 109.163.234.8 [PATH] => /bin:/usr/bin [PHPRC] => /opt/php54/lib [QUERY_STRING] => [REDIRECT_STATUS] => 200 [REMOTE_ADDR] => 109.163.234.8 [REMOTE_PORT] => 33146 [REQUEST_METHOD] => POST [REQUEST_URI] => /config/b.php [SCRIPT_FILENAME] => /home1/usera/public_html/config/b.php [SCRIPT_NAME] => /config/b.php [SERVER_ADDR] => 192.232.223.58 [SERVER_ADMIN] => webmaster@company.com` – user20719 Apr 17 '17 at 22:59
Final [SERVER] `[SERVER_NAME] => www.company.com [SERVER_PORT] => 80 [SERVER_PROTOCOL] => HTTP/1.1` – user20719 Apr 17 '17 at 22:59
Still possible for a bot to have done it. and there's nothing javascript can do to stop it. – Kevin B Apr 17 '17 at 23:59

score -1 · Answer 2 · answered Apr 17 '17 at 21:55

This can happen easily when bots scrape HTML for <form> tags and just blindly submit a HTTP POST request based on the form input names. There's no way to protect against it beyond just making sure your php form post handler script handles this gracefully.

php javascript getting past validation

2 Answers2