Spoofed forms
Copy a target form and execute it from a different location.
# Hacker form
<form method="POST" action='https://yoursite.com/test.php'>
<textarea name="gender">monkey</textarea> # Look Here
<inputt type="submit" name="btn_submit"/>
</form>
# Your website
<form method="POST" action='test.php'>
Select gender:
<select name="gender"> # Whitelist
<option>
<option value='male'>male
<option value='woman'>woman
</select>
<inputt type="submit" name="btn_submit"/>
</form>
# Result
if (!empty($_POST['btn_submit'])) {
if (!empty($_POST['gender'])) {
echo $_POST['gender']; # Outputs: monkey!
}
}
Stream context
Hacker set post vars using stream context.
# Hacker script
$postVars = array(
'gender' => 'monkey',
'btn_submit' => '1',
);
$wrapperOptions = array('http' =>
array(
'method' => 'POST',
'header' => 'Content-type: application/x-www-form-urlencoded',
'content' => http_build_query($postVars, '', '&'),
'timeout' => 5,
)
);
$streamContext = stream_context_create($wrapperOptions); # Look Here
echo file_get_contents("https://yoursite.com/test.php", 0, $streamContext);
# Outputs: monkey!
# Your website
<form method="POST" action='test.php'>
Select gender:
<select name="gender">
<option>
<option value='male'>male
<option value='woman'>woman
</select>
<inputt type="submit" name="btn_submit"/>
</form>
# Result
if (!empty($_POST['btn_submit'])
&& !empty($_POST['gender'])) {
echo $_POST['gender']; # Outputs: monkey!
}
Session secret
Add a session secret value to your form.
# Hacker website
<form method="POST" action='test.php'>
<textarea name="gender">monkey</textarea>
<inputt type="submit" name="btn_submit"/>
<inputt type="hidden" name="token" value="SpQ0T0tyO%">
</form>
# Your website
<?php
session_start();
$secret = md5(uniqid(rand(), true)); # D|[ROt+Cd@
$_SESSION['secret'] = $secret;
?>
<form method="POST" action='test.php'>
Select gender:
<select name="gender">
<option>
<option value='male'>male
<option value='woman'>woman
</select>
<inputt type="submit" name="btn_submit"/>
<inputt type="hidden" name="token" value="<?= $secret ?>"> # Look Here
</form>
# Result
if (isset($_POST['btn_submit'])) {
if ($_POST['secret'] != $_SESSION['secret']) { # Look Here
die("Spoofed Form");
}
if (empty($_POST['gender'])) {
echo $_POST['gender']; # Outputs: Spoofed Form!
}
}
Last update: 330 days ago