I use $_POST to read data sent through HTML forms to the server, narrowing down attacks exposure.
How can I strengthen security, using some kind of tokens in the form?
The tokens could be readable however with a sniffer.....
**** EDIT *****
I agree the message above is generic...I'll try to give more details!
Ok, a PHP/Server generates emails containing some data for a sort of user-revision; this is accomplished with an HTML email containing HTML forms. When users receive those emails, they edit data in the forms, and send it back to the server, that in turn it will store it in the database.
While for other types of interaction users/server, login/authentication is required, in this case some particular email clients, like mobile phones, do allow reading HTML email messages and process forms, unfortunately without allowing client authentication (server side login) prior processing the form.
What happens on the server side when forms are received?
Well $_POST is used, removing potential GET weakness, however using $_POST will not prevent other kind of attacks, just because a sniffer can easily "read" data being sent.
Data on the server side is parsed and stripped accordingly, removing unsafe Javascript and quoted text to prevent injections and other sort of attacks.
That's why I was looking for a sort of token/nonce technique, however I thought that tokens are sniffable within the form..... and that's where my help request starts!
You are probably refereing to CSRF (Cross site request forgery). Chris Shiftlett wrote an article about it which explains the concept.
Here are a few things you should look into.
SSL Certificates
CSRF Protection
Ok, I have discovered that Wordpress offers it's own API for NONCES.
What I do now is to add an input field in the form containg the NONCE; when user sends form to the server, the NONCE is validate back.
There's a little chance an attacker could gain access using NONCE contained in the form ** ONLY ** during the lap time occurring between NONCE issue/verify. Quite difficult though: the attacker should sniff data, grab the NONCE and use it immediately to load "something" in the database...
What could it be loaded, assuming content is being stripslashed and de-javascripted?
Moreover, as WP NONCES are created using constants:
wp_create_nonce ('my-nonce');
this will require some additional tasks to use variable generated NONCES in such a way for the attacker it will be more difficult to track the pattern to generate the NONCE...
What do you think?
Related
I'm new to web development and I don't know whether it's better to check that user filled out all the fields in a form by using "required" or to check it later using php with empty() and then return user to the front page. What are the upsides and downsides of each method?
I tried both of them and the only difference I could think of is the "Please fill out this field" box when using the html way.
Setting required in html tells users that a field is required and prevents someone from accidentally submitting a form with an empty field. However, people can still send the form with a missing field manually, by creating a request outside of a browser. The PHP should be able to handle that, though it can be as simple as returning an error.
In general, you should use client-side validation like required to tell users what to do, and server-side validation to prevent unintended behavior by bypassing the client.
The bottom line here is that your server-side code cannot cannot trust anything it receives from the client-side.
A web application receiving a HTTP request has no way of knowing whether that request came through a user-interface where some validation was applied to the data before sending, or if someone modified that user interface to remove some checks (which is easy in a browser if you have a little knowledge of the Developer Tools), or if (for example) it came from some sort of bot firing requests directly at your server, or if someone simply opened up PostMan and made the HTTP request by hand.
Therefore, in terms of security and validation, you must implement server-side validation and security procedures if you want to ensure the security and validity of your application and its data.
Client-side validation is great for improving the user experience and performance of your application (so that the user doesn't have to wait for a round-trip to the server before they get feedback on the validity of data they are trying to submit), but since it easily can be bypassed or disabled you cannot rely on that alone to protect your application.
Those are both necessary for making a secure and robust app. That is front-end and back-end validation.
The front-end validation makes it so the user cannot accidentally fill unwanted data into the fields shown. That ensures that users are using the app as intended.
The back-end validation makes sure that the values that are coming in are always values that are expected. What makes this different is that people can bypass front-end validation quite easily, and thus they will abuse this by inserting bad data in your app which can break your whole app completely.
It is necessary to check the validity of the data received from the user on the server, so you must set conditions for it on the server so that invalid data does not enter the database.
Also, to improve the user experience, it is better to have controls in html in addition to the server, this will even make the server not always check and reject the wrong request, so use both of them together.
Hello all,
While taking my time in the bath I though of something interesting. In PHP, how do you tell if the users' forms submitted is valid and not fraud (i.e. some other form on some other site with action="http://mysite.com/sendData.php")? Because really, anyone can create a form that will try send and match $_POST variables in the real backend. How can I make sure that that script is legit (from my site and only my site) so I don't have some sort of cloning-site data-steal thing going on?
I have some ideas but not sure where to start
Generate a one-time key and store in hidden input field
Attempt (however possible) to grab the url on which the form is located (probably not possible)
Using some really complicated PHP goodies to determine where the data is sent (possible)
Any ideas? Thanks all!
Most of these attempts from hackers will be used by curl. It's easy to change the referring agent with curl. You can even set cookies with curl. But spoofing md5 hashed keys with a private salt and storing it in session data will stop most average hackers and bots. Keeping the keys stored in a database will add authentication.
There are few simple ways like:
Checking $_SERVER['HTTP_REFERER'] to ensure your host was the referring script
Adding hashing keys in the forms and checking them with the server session variable stored.
But all the above can be manipulated and spoofed in some way. So, you can use CSRF Validations. Here is a very good article on this.
Other additional techniques I have encountered are:
Adding time limits to forms and ensure they are submitted with in that time.
On every interaction with the form, send AJAX request to validate and reactive the form's timelimit.
HTML5 provides a new input type . The purpose of the element is to provide a secure way to authenticate users.The tag specifies a key-pair generator field in a form.
When the form is submitted, two keys are generated, one private and one public.
The private key is stored locally, and the public key is sent to the server. The public key could be used to generate a client certificate to authenticate the user in the future.
Keygen tag in HTML5
RFC
I don't run a mission critical web site so I'm not looking for an industrial strength solution. However I would like to protect against basic attacks such as someone mocking up a false page on the hard disk and attempting to gain unauthorized access. Are there any standard techniques to ensure that form submission is only accepted from legitimate uses?
A few techniques come close:
Produce a form key for every form. The key would relate to a database record, and something else unique about the page view (the userID, a cookie, etc.). A form cannot be posted if the form key does not match for that user/cookie. The key is used only once, preventing an automated tool from posting again using a stolen key (for that user).
The form key can also be a shared-secret hash: the PHP generating the form can hash the cookie and userID, for example, something you can verify when the form is posted.
You can add a captcha, requiring a user to verify.
You can also limit the number of posts from that user/cookie (throttling), which can prevent certain forms of automated abuse.
You can't guarantee that the form isn't posted from disk, but you can limit how easily it is automated.
You can't. There's no reliable way to distinguish between an HTTP request generated from a user on your page, or a malicious user with their own web-page.
Just use a proper password authentication approach, and no-one will be able to break anything unless they know the password (regardless of where the HTTP requests are coming from). Once you have reliable server-side authentication, you don't need to waste time jumping through non-robust hoops worrying about this scenario.
You should not create a login-system yourself because it is difficult to get it right(security). You should NOT store the passwords(in any form whatsoever) of your users on your site(dangerous) => Take for example lifehacker.com which got compromised(my account too :(). You should use something like lightopenid(as stackoverflow also uses openid) for your authentication.
The remaining forms you have on your site should have the following protection(at least):
CSRF protection: This link explains thorougly what CSRF is and even more important how to protect against CSRF
Use http-only cookies: http-only sessions, http-only cookies
Protect against XSS using filter.
Use PDO prepared statement to protect youself against SQL-injection
i also recommend:
Save the IP of the computer that sends the form (to block it from the server if it.s annoying)
Use CAPTCHA when required, to avoid robots...
Send users to another page when the info is loaded, so the POST data won't be retrieved when you refresh the page.
Proper validation of form data is important to protect your form from hackers and spammers!
Strip unnecessary characters (extra space, tab, newline) from the
user input data (with the PHP trim() function)
Remove backslashes () from the user input data (with the PHP
stripslashes() function)
for more detail, you can refer to Form Validation
I want to validate a form without having to reload the entire page. I am using JavaScript at the moment, however this is massively insecure. To get round this, I want to use AJAX and a PHP script to validate the form. Does anyone know of any security risks this might have?
I also assume the AJAX method is far safer than vanilla JS, but I could be wrong?
They are exactly the same as the risks of validating with pure client side JavaScript. The only difference is that you are asking the server for some data as part of the process.
The user can override the JavaScript to submit the form no matter what the validation outcome is.
The only reason to use JavaScript at all when checking data for submission is to save the user time. If as part of that you want to do something such as asking the server if a username is taken while the user fills out the rest of the form, then great — that is quite a nice use of Ajax. Otherwise, using Ajax is pretty worthless.
If you want to do client side checking, then put all the logic you can for it on the client and avoid making HTTP requests. If you have things that can only be checked server side (because they are based on data, like the example with usernames that are already taken) then consider using Ajax for that. The client side check is the convenience check. Always do the security check server side and on the final submitted data.
Note that validating data that is actually submitted using Ajax is a different matter — since that is the final submitted data. It is doing Ajax validation as a precursor to the final submission that doesn't add any trust to the data.
All AJAX does is offload part of the process to the server, 'hidden' from the client (in the sense the functional handling of your data/variables is hidden). That said, you should be wary of the information being sent to the server, which can be captured or worse, duped. The difference with pure JS is that your functional handling is there for all to see, and potentially exploit.
Validation shouldnt need to be done server side unless you are validating DB content (i.e. uniqueness of a username etc). If you are simply validating whether something is an email, you can do this in JS, eg with a RegEx.
If you are validating DB data, make sure all DB queries variables which originate from sent (POST/GET) variables are escaped using mysql_real_escape_string to prevent SQL injection
You can validate data in AJAX as well as you can do it in pure JavaScript, but you have to re-validate it in your script after it receives the data.
Every client-side validation method can be avoided by sending POST request to your form target.
The main thing to bear in mind here is that when using AJAX you are essentially providing an interface to your database. For example, if you are checking for duplicate usernames (which you CANNOT do in javascript) or duplicate emails, so as to provide a message such as "this username is already in use ... please try another", you are providing an interface for a potential hacker to immediately check which usernames and/or emails are available. The security considerations are NOT the same as for javascript.
My advice to you on this topic is (1) Use parameterised queries to access database as someone has already suggested. (2) Implement a delay on the ajax .php page - the length depends on the scenario - I go for about 1 second (3) Execute ajax on blur, or on loosing focus, not on every keypress, (4) Implement a check in your ajax handler that ensures the request comes from the expected page (ie: not some random script a hacker wrote). (5) ONLY make the AJAX call when some other basic validation of the form element has taken place [ie: the basic javascript validation]
I hope this helps. Form validation using ajax is absolutely nothing like being even remotely similar to javascript validation. It is an interface into your database, and you need to be carefull with it.
It helps to imagine how you would hack into your own site - knowing which email addresses are registered with your site is a great place to start. So I could write a script to generate random email addresses using common words and/or names and hammer your ajax handler to obtain a list of registered email addresses to your site. I could do this quickly IF you didn't follow the advice (1)-(5) I stated above.
Once I have the emails, I just google them ... chances are that gives me a name. I can guess the username from there. So now I have username and emails. Passwords would take too long to explain, but if I can get the usernames or emails that easily ... it marks you out as a target and you will get more attention that you really want.
Im working on a registration validation system at the moment - Id be happy to share it with you if you'd like. Probably I'm missing something important !
Peace out.
I have a form that sends info into a database table. I have it checked with a Javascript but what is the best way to stop spammers entering http and such into the database with PHP when Javascript is turned off?
You could implement a CAPTCHA on the form:
http://en.wikipedia.org/wiki/CAPTCHA
Edit: Also definitely verify form data on the server side and check for html tags etc as usual, but the CAPTCHA should help against automated spam attacks.
Never trust the client. Always validate all data on server side. JavaScript for form validation can just be an additional feature. You could start with basic PHP functions to check if the content contains certain strings you don't like, eg. "http://".
if (strpos('http://', $_POST['message']) !== false) { /* refuse */ }
You can use CSRF protection to prevent spammers, I have found it quite effective.
What it is and how it works
Another sneaky method is to include a "honeypot" field - a hidden field that should never be submitted with content. If it's filled, you know it's spam. Neither of these methods require an annoying CAPTCHA.
There are two things to consider which should be implemented in parallel (maybe there's more).
Captcha (as mentioned before)
Verify your data on server side! You wrote you do this by javascript. This is good, but the very same verification proccess should be written in PHP.
Well, for CAPTCHA you'll have to make it's verification on server side anyway. But even if you decide not to implement captcha, you should make data verification on server side.
I suggest using the htmlentities() function before doing your insert.
Obviously your insert should be done using parametrized queries to interact with the database as well. captcha is certainly an option, but it more serves to limit how often someone can post, not what they can post. Use hmtl escaping (again, the htmlentities() function) to prevent the user from inputting things you don't want.