1

<!DOCTYPE html>
<html>
<body>
<form action="/submit_page.php" method="post" enctype="multipart/form-data">

    Enter your first name and last name below :<br>
      First name: 
           <input type="text" name="fname"><br>
      Last name:
           <input type="file" name="lname" ><br>

    <input type="submit" value="Submit" name="submit">

</form>
</body> 
</html>

Above form was for only Two input fields

- First Name
- Last Name

Now (Suppose as a hacker) i have modified last name text input field into Last name file input and also added enctype="multipart/form-data" in form attributes and i hit submit.

Its sending data along with file no matters how big it is and server is still receiving it in temp means its eating my server Performance and Bandwidth as well as Clients Bandwidth too but form was designed for only text input

So my question is how to prevent this kind of hacks ?

Vikas Kandari
  • 793
  • 6
  • 10
  • https://stackoverflow.com/questions/4531625/protect-form-hijacking-hack – Masivuye Cokile Jan 22 '18 at 10:51
  • i don't think there is a way to prevent such. As long as the action attribute is visible, attempts for form spoofing is possible. What you can implement is `CSRF` prevention. – Rotimi Jan 22 '18 at 10:52

2 Answers2

1

If users only need to upload files of a max size of 5 MB and a couple of text fields, then limit the total POST content to something like 6 MB.

Here's another answer which describes how to do it in PHP:
Change the maximum upload file size

Here's an answer for NodeJS:
Node.js: how to limit the HTTP request size and upload file size?

And here's an explanation of why this is then only way to limit file uploads:

Limiting the size of uploads

Unfortunately the HTTP specification gets in the way again here. The only piece of useful information available before the contents of the POST is the total size of the POST. This includes all uploaded files, all other fields in the form, any headers etc. As a result, the only thing that we can use to limit uploads is the POST size (duh!). You'll want to consider a limit carefully - it should be low enough to prevent denial of service attack, but high enough to let your users upload the kinds of files you want them to.

Source: Stripes (a Java server-side framework I really like)

DJDaveMark
  • 2,669
  • 23
  • 35
0

You cannot control what is or isn't sent to your server. It's a bit of a paradox. In order to know whether or not a request is valid, a server needs to read the request, thus sorta forcing you to accept all requests.

Really, a hacker wouldn't even need to modify the form. They could just send a request to your server independently, without ever visiting your webpage.

You might want to look into services like Cloudflare.

EKW
  • 2,059
  • 14
  • 24
  • it there any way to terminate it whenever i get a file in form-data – Vikas Kandari Jan 22 '18 at 10:57
  • @VikasKandari Why do you only care about the 'hacker' uploading files? What if, in the `first name` field, the hacker put a name that was a billion letters long? There are services like Cloudflare that protect you from DDoS attacks like these, but other than that, there's not much you can do. – EKW Jan 22 '18 at 10:59
  • Well thats also same problem thats why i am trying to find a suitable solution because my Clients(website owners) are not Millionaires – Vikas Kandari Jan 22 '18 at 11:01