I am having trouble submitting parameters to a website via an html code simulating an XSRF attack. I have the html below in which I have set the parameters for the action including an account #, routing #, action, and a value that need to reverse engineer through source code that represents the users session.
When ran, the site either returns "Changes Saved" indicating a successful XSRF attack or returns "XRSF Blocked" indicating I did not derive the fourth value correctly.
However, when I log in to the site and execute the script, nothing is returned and even the page forms are unchanged. I think something in my syntax is probably slightly off. Can someone assist?
<!DOCTYPE html>
<html>
<meta charset="UTF-8"/>
<title>XSRF</title>
</head>
<body onload='document.forms[0].submit();'>
<form action='some_php_file.php' method='POST'>
<input type='hidden' name='action' value='save'/>
<input type='hidden' name='account' value='3192332'/>
</form>
</body>
</html>
Your inputs have no closing tags.
<input type='hidden' name='action' value='save'
<input type='hidden' name='account' value='3192332'
In order to post information, you need a submit input:
<form action='some_php_file.php' method='POST'>
<input type='hidden' name='action' value='save'/>
<input type='hidden' name='account' value='3192332'/>
<input type="submit" name="name" placeholder="placeholder"/>
</form>
Hope this helps :-)
Related
<input type='submit' name='submit' value='Register' class='register' />
how do I make this link to a website on click?
Here's one way of doing it with your present code (submit-type button) using PHP's header() function.
(handler.php)
<?php
if(isset($_POST['submit'])){
header("Location: http://www.example.com/page.php");
exit;
}
And I'm assuming with the code you have in your question, resembling something to the affect of:
<form action="handler.php" method="post">
Username:
<input type='text' name='username' />
<input type='submit' name='submit' value='Register' class='register' />
</form>
Of course I didn't include the possible $username=$_POST['username']; that could be in your PHP, depending on how you will be using it.
EDIT
Upon reading mplungjan's comment have made a slight name change. I've yet to know why using the name submit is considered unsafe, after trying to find the (or a) reason why on Google. I'm hoping to get or find an answer to this affect.
(Edit-findings) See further information below that I found to date.
(handler.php)
<?php
if(isset($_POST['reg_button'])){
header("Location: http://www.example.com/page.php");
exit;
}
And I'm assuming with the code you have in your question, resembling something to the affect of:
<form action="handler.php" method="post">
Username:
<input type='text' name='username' />
<input type='submit' name='reg_button' value='Register' class='register' />
</form>
Findings:
Article(s) I've come across on the subject that mplungjan mentioned in comments:
Why is the NAME attribute considered unsafe?
Cross site scripting
On php-security.org
If you're going to use a PHP (server-side) method, consider using the following, as borrowed from this website's article on Cross site scripting.
<input name="foo" value="<?php print htmlspecialchars($foo); ?>">
and in your case:
<input type='submit' name='reg_button' value='<?php print htmlspecialchars($reg_button); ?>' class='register' />
Borrowed from mplungjan's comment:
1) never call a submit button name="submit"
2) use a link or a button <input type="button" onclick="location='somepage.html'" />
3) Just use name="Submit" or submitted and problems will be avoided.
(Thanks for the extra input mplungjan).
You have to understand the default behavior of the tag you're using. The submit input tag, sends the user to the form action. I'm not sure what you're trying to do, so I'm not sure if you're even using the right tag. Perhaps consider anchor tags?
My best guess, given the vague question is:
<form action="{URL}" method="post">
<input type='submit' name='submit' value='Register' class='register' />
</form>
or
Register
<input type="button" onclick="window.location='YourUrlHere'" class="register" value="Register"/>
You can use anchor tag for this problem, An anchor tag is used to redirect from one page to another page by just one click.
Here you can use this as follow:
<input type='submit' name='submit' value='Register' class='register' />
Note: href is the tag which contains the path of your desired destination.
That's it,
Keep coding... :)
You can go for a Register as just said or if you want you can also use the button tag <button onclick="myFunction()">Click me</button> where myFunction is your JavaScript code to an other page
I currently have a set of hidden input, the values are altered with jQuery.
echo "<input type='hidden' id='stack-information-1' value='$clickedtitle' readonly />
<input type='hidden' id='stack-information-2' value='$guidelinename' readonly />
<input type='hidden' id='stack-information-4' value='$clickedid' readonly />
<input type='hidden' id='stack-information-5' value='$starter' readonly />
<input type='hidden' id='stack-information-6' value='$category' readonly />
<input type='hidden' id='stack-information-7' value='$sid' readonly />
<input type='hidden' id='stack-information-8' value='$clickedposition' readonly />
<input type='hidden' id='stack-information-9' value='0' readonly />";
I don't want the user to be able to change these values via hacking etc. This isn't valuable information, just integers and non-important strings. However what security measures do i take to prevent the user changing these values? Do i save the values in sessions?.. if so how do i access the values with jquery?
Storing them anywhere on the client-side will leave them open to being read.
I suggest if they're only temporarily relevant values to store them in the session and handle them only in the backend when you process whatever call they are related to. (i.e. don't output them to the client at all).
If your javascript needs them to make some modification to the page, that logic should be relocated to the backend and called via ajax to 'ask the server' what the js should do.
The following form causes an empty $_POST variable on IE9.
<form id='login' action='login.php' method='POST' accept-charset='UTF-8'>
<input type='text' name="username" id='username' />
<input type='password' name='password' id='password' />
<input type="text" name="store" />
<input type='submit' name='Submit' value='Submit' />
</form>
The form works perfectly on Firefox and Chrome. All variables appear in the $_POST variable with no issues.
On IE9, however, the form is submitted properly, but $_POST is the empty array. I.e., in login.php:
print_r($_POST);
prints the empty array. I'm trying to figure out what could be different about IE9 that's making it behave differently from Firefox and Chrome and I can't figure it out.
I found mention of some module under Apache that's causing people problems, but I'm running IIS7, not Apache, so that's not it. Someone on a Ruby forum mentioned setting a DisableNTLMPreAuth to 1 in the registry, but that hasn't fixed it either.
Any help is appreciated.
accept-charset is not support in Internet Explorer. Remove it and see if that solves you're problem.
I think this is to do with a double hit - i.e. that IE is re-reloading the page somehow. Have you got some client side stuff (jQuery?) that re-reloads the page by accident as a bug? Try posting to a completely new page and writing <?PHP die ('<pre>'.print_r($_REQUEST,true).'</pre>');?> on the top line and seeing what happens.
plz enter "name" attribute for form.
<form id='login' name='login' action='login.php' method='POST' accept-charset='UTF-8'>
<input type='text' name="username" id='username' />
<input type='password' name='password' id='password' />
<input type="text" name="store" />
<input type='submit' name='Submit' value='Submit' />
</form>
The reason is you are not maintaining the session. In Firefox and Chrome are much smart and they maintain the session irrespective of the Development of the Code, which gives users a good things. But in IE6-9, IE Can't maintain session, developer has to check it and if the session is not maintained every page loaded is a new session and thus there is no post.
I have a form
<form method='post' action='action.php' name='myForm'>
<input type='' name='id' value='id'>
<script>document.myForm.submit();</script>
</form>
Can I submit this form without using JavaScript - only PHP without clicking on the submit button, automatically?
This form must be auto submitted on page load, but not using JavaScript (without onload)
The act of form submission is done on the client side (browser) and has very little to do with PHP (server side).
You could add a submit button like <input type='submit' value='click here to complete step' />
A form must be submit, by the client side. On client-side, there's only two way: by Javascript or by human (clicking on the submit button).
Why not just use the <input type="submit" /> like the following:
<form method='post' action='action.php' name='myForm'>
<input type='text' name='id' value='id' />
<input type='submit' name='submission' value='Submit id'>
</form>
add a submit button.
<input type="submit" value="Submit" />
Unfortunately, what you are trying to do is not possible. The best you can do is probably this:
<form method='post' action='action.php' name='myForm'>
<input type='' name='id' value='id'>
<input type='submit' id='submit-button' />
<script>domument.getElementByID('submit-button').style.display="none";document.myForm.submit();</script>
</form>
A submit button is displayed when client side scripting is disabled. When it's enabled, the submit button is immediately hidden and the form is automatically submitted.
EDIT
Or you could simply include the PHP file. <?php include action.php; ?>. You won't have access to the _POST array, but considering, the client hasn't had chance to enter any data, that won't really matter.
I have a bunch of Aweber forms with just a name and email field on my site. The forms are getting a lot of spam registrations. Is there a way that I can prevent these bots from filling my forms?
<form method='post' action='http://www.aweber.com/scripts/addlead.pl'>
<div style='display:none;'>
<input type='hidden' name='meta_web_form_id' value='-----' />
<input type='hidden' name='meta_split_id' value='' />
<input type='hidden' name='listname' value='-----' />
<input type='hidden' name='redirect' value='-----' />
<input type='hidden' name='meta_adtracking' value='-----' />
<input type='hidden' name='meta_message' value='1' />
<input type='hidden' name='meta_required' value='name,email' />
</div>
<ul class='vMenuForm'>
<li class='lname'>Name(<span class='red'>*</span>):</li>
<li class='name'><input type='text' name='name' value=''/></li>
<li class='lemail'>Email(<span class='red'>*</span>):</li>
<li class='email'><input type='text' name='email' value=''/></li>
<li class='submit'><input class='button' type='submit' name='submit' value=''/></li>
</ul>
<div style='display: none;'><img src='http://forms.aweber.com/form/displays.htm?id=HKwMHMzMTCyM' alt='' /></div>
</form>
This is one of the forms as it exists now. Any ideas?
I would actually put a couple of "honeypot" fields in as type="hidden", such as "last_name", "first_name", as spam bots will usually fill those in. Then, server-side, check to see if those 2 fields are filled in; if so, log the attempt for tracking and stop processing the data. Captchas help some as well, though not as much these days.
Use a captcha system like reCAPTCHA (by Google) or some kind of special "only-humans-can-answer" type thing, like "What day is it today?"
They also have very nice PHP plugins and examples for you. It's very simple, just use it like this:
require_once('recaptchalib.php');
$publickey = "public_key";
echo recaptcha_get_html($publickey);
You could try a few "honeypot" techniques (fields that users can't fill in, usually because are hidden, but fields that bots will normally true to fill in), but bots are learning to counter them these days by detecting if you've set fields the honeypot fields to hidden, both via. CSS and Javscript, so this won't be a guarantee that all bots will be stopped.
I would create the form dynamically using javascript. This should keep the simple Bots from posting your form. Though this solution has drawbacks like your users must have javascript enabled.