Fake a $_POST via PHP

Question

I'm all in a security funk right now so I'm going through making everything as secure as possible. I got a login going and I'm referencing this:

http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/

The first example is that of a login and if you say ?authorization=1 you get in. But if I wrap my code around a if($_POST) then the user MUST make a post. Can a user fake a $_POST? How do I go about faking a $_POST?

Answer 1

A user can simply create a file on their local machine with:

<form action="http://yoursite.com/login.php" method="post">
    <input type="text" name="username"  value="hahaha faked it!" />
    <input type="text" name="password" value="hee hee you can't tell this is fake" />
    <input type="submit">
</form>

and boom, "fake" post. In other words, you have to assume that anything and everything the user sends is potentially fake.

Answer 2

Yes they can.

With cURL and other HTTP clients, anybody can fake this.

Watch this

<form method="post" action="http://yoursite/index.php">
    <input type="text" name="authorization" value="1" /><input type="submit">
</form>

Then user saves this as .html in their computer, opens in theirbrowser. Then posts the form.

Answer 3

Two ways, make a curl request, or actually set the post variable on top of the php. E.g:

$_POST['var'] = "WHAT I WANT";

Answer 4

You can use cURL in PHP to POST like so:

$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch,CURLOPT_POST, 1); 
curl_exec($ch);
curl_close($ch);

Answer 5

The $_POST superglobal variable is populated from the query string that's contained in the body of an HTTP POST request. Since the user/client is the one who initiates the HTTP (POST & others) requests to the HTTP server, then yes - the client can "fake" a $_POST array's values & keys. Refer:

• POST (HTTP) @ wikipedia.org
• Methods GET and POST in HTML forms - what's the difference?
• Tamper Data - Firefox add-on @ addons.mozilla.org

Answer 6

In whatever page where the HTML is. Do this very first thing.

<?php
    session_start();
    /** Generate some random numbers */
    $wipit = rand(0,999999999);
    /** Store the WIPIT Generators value in the SESSSION */
    $_SESSION["WIPIT"] = $wipit;
?>

And do this in whatever page you are doing the POSTING validation and other things.

<?php
    session_start();
    /** Check for the REQUEST TYPE and SESSION WIPIT */
    if( isset( $_SERVER['REQUEST_METHOD']) == "POST" and isset($_SESSION["WIPIT"]) and !empty($_SESSION["WIPIT"]) ){
        /* Rest of your code goes here... */
    }
?>

Answer 7

If your website has the problem of not escaping all text properly, it is an XSS weakness that can be exploited by a third party by injecting a (javascript-)script into the page which can use AJAX to send post requests with the users cookies and authority, with the least worst effect being that it could for example log out the user.

Answer 8

...yes a user can "fake" a post (whatever that means). Try tamper data on for size.