0

I have a website (https://example.com/) that has a form on it. The form uses POST to connect to another website (https://app.example.com/). The other website (https://app.example.com/), connects to a mysql database. I am getting fake inputs on the database. All of the fake inputs do not have referers. I added this code to the other website (https://app.example.com/) to fix this problem, 

$allowed_host = 'example.com';
$referer = $_SERVER['HTTP_REFERER'];
$hacker_page = 'https://app.example.com/hacker.php';
$host = parse_url($referer, PHP_URL_HOST);
if($referer == ''){
    header("Location: $hacker_page");
}
if(!(substr($host, 0 - strlen($allowed_host)) == $allowed_host)) {
    header("Location: $hacker_page");
}

but I am still getting fake inputs...

Seth B
  • 1,014
  • 7
  • 21
  • 1
    Do you have any way to make use of a token to validate the authenticity of the request? – Script47 Sep 03 '19 at 15:20
  • That is what the $allowed_host is. – Seth B Sep 03 '19 at 15:20
  • Like a cookie?? – Seth B Sep 03 '19 at 15:21
  • 1
    something that doesn't rely on the referer. Could be a secret key passed in the request. – Script47 Sep 03 '19 at 15:21
  • Like a hidden field on the form? – Seth B Sep 03 '19 at 15:21
  • Yes I do, it is a hidden field on the main domain's form. – Seth B Sep 03 '19 at 15:22
  • 1
    Similar but something that couldn't be accessed by a user. – Script47 Sep 03 '19 at 15:22
  • Like what? I really would like not to use cookies... – Seth B Sep 03 '19 at 15:23
  • 1
    Anything. For example, [a cryptographically secure random string](https://stackoverflow.com/a/18890309/2263631), `48071997cf20790e33b13dcc256abcdca6bd4a5d139577de65d5cc9b3a07` is the token that is passed and you validate every request to ensure it has a valid token on the other end. If it does, proceed. If not, 403. Ideally the token should have a life time so it expires. – Script47 Sep 03 '19 at 15:25
  • How to pass the token without the user seeing it? – Seth B Sep 03 '19 at 15:27
  • 1
    That depends on how the request is being made, if the request is being made by the server then you just pass it in the params and they'd never see it. Client side would make it impossible, to my knowledge. – Script47 Sep 03 '19 at 15:28
  • It is a pure HTML form being sent to a secondary domain. – Seth B Sep 03 '19 at 15:31
  • 1
    Then the only thing I can suggest is to make the token only work for one request and even then, give it an expiry. But that too isn't 100%. – Script47 Sep 03 '19 at 15:32
  • So no http-headers? – Seth B Sep 03 '19 at 15:38
  • 1
    ['*The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.*'](https://stackoverflow.com/a/12369682/2263631) - Not the referer anyway. – Script47 Sep 03 '19 at 15:39
  • Thanks for your help, I might try using cookies... It is wordpress, so IDK how to use cookies. – Seth B Sep 03 '19 at 15:41
  • 1
    Don't use WordPress but this might help: https://wordpress.stackexchange.com/questions/21752/setting-custom-cookies-in-wordpress – Script47 Sep 03 '19 at 15:43
  • 1
    Captcha best easy method – dılo sürücü Sep 03 '19 at 15:49
  • I ended up using captcha. – Seth B Sep 03 '19 at 23:19

0 Answers0