2

I've read these webpages:
PHP Form Security With Referer and http://www.mustap.com/phpzone_post_62_how-to-bypass-the-referer-se

So basically my question is how do we determine for certain that the request was sent from our own domain? Or is there no way at all?

(Question targeted at any server side language including but not limited to PHP/JSP/ASP.Net etc)

My Problem: I have a page at http://me.com/login and on form submit, it will post to itself the login particulars. So far so good. until someone else can simply do this 

  <form action="http://me.com/login">
  <input name="password" value="p">
  <input name="username" value="u">
  </form>

and they can send a request to login to my application through their domain. I do not want this. I need a way to make sure that if my page receives a post, its from my domain. Else i will reject it.

Besides, I'm abit shock when i read this: There are plugins for Firefox that allow the user to specify whatever value they want to be supplied as the REFERER. source: http://www.phpbuilder.com/board/showthread.php?t=10324100

So we don't even need a hacker to break it now. Just about anyone could do it.

I need a solution to make sure that i reject ALL requests not from my domain.

Community
  • 1
  • 1
Pacerier
  • 86,231
  • 106
  • 366
  • 634
  • What is the actual problem you are trying to solve? – Matthew Jun 03 '11 at 03:51
  • tag the request (url?) with some unique key you can check at the other end –  Jun 03 '11 at 04:02
  • @konforce I'm trying to see how we could solve the issue at http://www.mustap.com/phpzone_post_62_how-to-bypass-the-referer-se – Pacerier Jun 03 '11 at 09:01
  • @Dagon the whole point of this question is to avoid having to do just that.. – Pacerier Jun 03 '11 at 10:03
  • well as pointed out before, due to the stateless nature of the http protocol - you can't. –  Jun 03 '11 at 10:26
  • @Pacerier, There's no direct way to know if a request "originated" from your server if you are talking about referring pages (i.e., which page generated the link that was responsible for the request). However, if we knew why this was important, then we would be able to tell you what you can do. – Matthew Jun 03 '11 at 12:15
  • If you are worried about cross site forgeries, then the stackoverflow link you supplied in the original post already covers the topic sufficiently. – Matthew Jun 03 '11 at 12:17
  • @konforce no. this question has nothing to do with XSRF – Pacerier Jun 03 '11 at 14:28

3 Answers3

2

So basically my question is how do we determine for certain that the request was sent from our own domain? Or is there no way at all?

You are asking the impossible. There is no way to know for certain that a submit button on a page on your domain generated the request.

You say it's not about CSRF, so I don't know why you are concerned. But the solutions are the same.

  1. Check the HTTP_REFERER header anyway. If it isn't your domain, then reject the request. You'll probably need to accept missing headers though since some people disable it. This doesn't prevent people who mess with their browser settings from spoofing the value though. But it does prevent people who are tricked into submitting the form from another site (assuming they haven't disabled HTTP_REFERER).

  2. Use a "nonce" or temporary token that is only valid for one request. Hence, the person who submits the request must visit your website at least once per request. This is basically the same thing as ensuring that the request originated from your website. You can also tie a nonce to an IP address or session to prevent people from querying your site and relying the token along to another computer.

Matthew
  • 47,584
  • 11
  • 86
  • 98
  • its not about CSRF because im not worried about people trying to trick other people (the system is secure such that even if you did that you won't achieve anything). But I'm trying to prevent ppl from building sort of their own UI and stuff like that which interfaces with my pages through their domain, without my permission you see. – Pacerier Jun 04 '11 at 12:56
  • @Pacerier, what you ask for is impossible. There's no way to force which client (a particular browser, a custom program, etc) that a person uses simply because there's no way to know what they are using. However, if a person is "scraping" your site from a proxy website, then you can simply block that site's IP address. – Matthew Jun 04 '11 at 20:16
1

There's no way to make sure where's the origin of the request. This is the nature of HTTP state-less protocol.

In common Referrer HTTP header is used as the source of request, but it can be manipulated easily.

Xaqron
  • 29,931
  • 42
  • 140
  • 205
  • @Pacerier: Easy to do. Put a `hidden` form variable which contains an encrypted string. Put something in it that will change (i.e. a time-stamp or GUID) so strings for a single domain are different every-time. – Xaqron Jun 03 '11 at 20:27
0

Use a hidden input with an encrypted key that is held on your server, and make it change frequently (I give 30 seconds before it changes!). This wont stop it but will minimise the risk, also, log the failed attempts per IP and block that IP/user after the 4th failed attempt until re-verified via email. If the username that had the failed attempts doesn't match the DB after the 4th time, block the IP and give an email to contact.

davmac
  • 20,150
  • 1
  • 40
  • 68
Frosty
  • 1