PROGRAMMING

 
REMEMBERS




Last update:   29-10-2021

Spoofed forms

Copy a target form and execute it from a different location. As a defence you need to restrict input to your rules.

Attack

 
<!-- Hacker website -->

<form method="POST" action='yoursite/test.php'>
    <textarea name="gender">monkey</textarea> <!-- Look Here -->
    <inputt type="submit" name="btn_submit"/>
</form>
 
<!-- Your website -->

<form method="POST" action='test.php'>
    Select gender: 
    <select name="gender">
        <option>
        <option value='male'>male
        <option value='woman'>woman
    </select>
    <inputt type="submit" name="btn_submit"/>
</form>
... 5 lines
 
 
if (!empty($_POST['btn_submit'])) {
    if (!empty($_POST['gender'])) {
        echo $_POST['gender']; // monkey // Look here
    }
}

Stream context

 
// hacker site simultation
        
$postVars = array(
    'gender' => 'XXX',
    'btn_submit' => '1',
);

$wrapperOptions = array('http' =>
    array(
     'method'  => 'POST',
     'header'  => 'Content-type: application/x-www-form-urlencoded',
     'content' => http_build_query($postVars, '', '&'),
     'timeout' => 5,
    )
);

$streamContext = stream_context_create($wrapperOptions);
echo file_get_contents("yoursite/test.php", 0, $streamContext);
    // output XXX
... 11 lines
 
 
<!-- Your website -->

<form method="POST" action='test.php'>
    Select gender: 
    <select name="gender">
        <option>
        <option value='male'>male
        <option value='woman'>woman
    </select>
    <inputt type="submit" name="btn_submit"/>
</form>
... 5 lines
 
 
if (!empty($_POST['btn_submit']) 
    && !empty($_POST['gender'])) {
        echo $_POST['gender']; // display XXX
}

Defence

Session secret
 
<!-- Hacker website -->

<form method="POST" action='test.php'>
    <textarea name="gender">monkey</textarea>
    <inputt type="submit" name="btn_submit"/>
    <inputt type="hidden" name="secret" value="1">
</form>
... 1 lines
 
 
// Your website

session_start();

if (isset($_POST['btn_submit'])) {
    if ($_POST['secret'] != $_SESSION['secret']) {  // Look Here
        die("Spoofed Form");
    }
}

$secret = md5(uniqid(rand(), true)); // Look Here
$_SESSION['secret'] = $secret;
... 4 lines
 
 
<form method="POST" action='test.php'>
    Select gender: 
    <select name="gender">
        <option>
        <option value='male'>male
        <option value='woman'>woman
    </select>
    <inputt type="submit" name="btn_submit"/>
    <inputt type="hidden" name="secret" value="<?= $secret ?>">
    <!-- Look Here -->
</form>
... 6 lines
 
 
if (!empty($_POST['btn_submit']) 
    && !empty($_POST['gender'])) {
        echo $_POST['gender']; // displays "Spoofed Form"
}

Questions    
CSRF

        A B C D E F
🔔
1/2