SECURITY

  minte9
REMEMBERS




Last update:   13-05-2022

Spoofed forms

Copy a target form and execute it from a different location.
 
# Hacker form
<form method="POST" action='https://yoursite.com/test.php'>
    <textarea name="gender">monkey</textarea> # Look Here
    <inputt type="submit" name="btn_submit"/>
</form>
 
# Your website
<form method="POST" action='test.php'>
    Select gender: 
    <select name="gender"> # Whitelist
        <option>
        <option value='male'>male
        <option value='woman'>woman
    </select>
    <inputt type="submit" name="btn_submit"/>
</form>
 
# Result
if (!empty($_POST['btn_submit'])) {
    if (!empty($_POST['gender'])) {
        echo $_POST['gender']; # Outputs: monkey!
    }
}

Stream context

Hacker set post vars using stream context.
 
# Hacker script
$postVars = array(
    'gender' => 'monkey',
    'btn_submit' => '1',
);

$wrapperOptions = array('http' =>
    array(
     'method'  => 'POST',
     'header'  => 'Content-type: application/x-www-form-urlencoded',
     'content' => http_build_query($postVars, '', '&'),
     'timeout' => 5,
    )
);

$streamContext = stream_context_create($wrapperOptions); # Look Here

echo file_get_contents("https://yoursite.com/test.php", 0, $streamContext);
    # Outputs: monkey!
 
# Your website
<form method="POST" action='test.php'>
    Select gender: 
    <select name="gender">
        <option>
        <option value='male'>male
        <option value='woman'>woman
    </select>
    <inputt type="submit" name="btn_submit"/>
</form>
 
# Result
if (!empty($_POST['btn_submit']) 
    && !empty($_POST['gender'])) {
        echo $_POST['gender']; # Outputs: monkey!
}

Session secret

Add a session secret value to your form.
 
# Hacker website
<form method="POST" action='test.php'>
    <textarea name="gender">monkey</textarea>
    <inputt type="submit" name="btn_submit"/>
    <inputt type="hidden" name="token" value="SpQ0T0tyO%">
</form>
 
# Your website
<?php
     session_start();
     $secret = md5(uniqid(rand(), true)); # D|[ROt+Cd@
     $_SESSION['secret'] = $secret;
?>
<form method="POST" action='test.php'>
    Select gender: 
    <select name="gender">
        <option>
        <option value='male'>male
        <option value='woman'>woman
    </select>
    <inputt type="submit" name="btn_submit"/>
    <inputt type="hidden" name="token" value="<?= $secret ?>"> # Look Here
</form>
 
# Result
if (isset($_POST['btn_submit'])) {
    if ($_POST['secret'] != $_SESSION['secret']) {  # Look Here
        die("Spoofed Form");
    }

    if (empty($_POST['gender'])) {
        echo $_POST['gender']; # Outputs: Spoofed Form!
    }
}

Questions    
CSRF
        A B C D E F
🔔
1/2