question about external form action

[UnknownPlayer]

My question is, when someone make same html form with action that goes on same php file on my server, so i need to know, can my site be hacked in that way ?

I mean if i have form that goes on file /sources/add_user.php and when someone make same html form that goes on www.my-site.com/sources/add_user.php and in that way to add users on my baze ?

[xyph]

Yes, that can be used.

 

No, there's no way to completely prevent this. Requiring a CAPTCHA will slow down the process and make it more difficult.

[UnknownPlayer]

But what if i set to check referrer ulr ?

[DavidAM]

You can use the Referrer, BUT the information it contains was SENT BY THE VISITOR. If I was going to spam somebody's registration page, I would set the referrer to their site so it would not think it was spam.

 

Captcha is a good way to reduce this.

 

You can also generate a hash and store it in the session and in a hidden form field. If the hash you receive with the form does not match the hash in the session, they probably submitted a modified or counterfeit form.

 

You can also store a timestamp in the session, and check that no less than 5 seconds and no more than 60 seconds passed between sending out the form and receiving the post. This can help prevent automated processes, which would be real fast; and copied forms, which would be a real long time. You would, obviously have to fine-tune the number of seconds on both ends based on the amount of information the user has to enter and how tightly you want control.

 

If you ever figure out a way to prevent it 100% ... patent it, copyright it, and sell it. In other words, as long as we accept the anonymous nature of the Web, there will always be people hacking our sites.

[xyph]

CAPTCHA is the best band-aid. A service like reCAPTCHA is free, extremely hard to beat (currently the major services that offer reCAPTCHA breaking are all manually typed) and very familiar to the end user.

 

Tokens are easily worked around, and generally the only time an attacker will use a remote form would be to bypass any client-side verification/checks. Even then, an attacker could simply visit your form page, grab the form/session token, inject it into their form/headers, et viola. Tokens also do nothing to prevent bots, which are a much more common form of attack.

 

Minimum time before submit is okay, but really doesn't prevent automated sign-ups. An attacker could simply run multiple instances of the bot. Too high a number, and you will annoy legit users with auto-form-filling applications, which are starting to come bundled with browsers.

 

TL-DR; CAPTCHA is your ideal solution. Other methods attempted simply aren't as effective or reliable.

[UnknownPlayer]

Ok, thanks..

But i didnt thought this on registration page, i mean on other things like send PM to member, but i will check login cookie for that..

 

[xyph]

That won't prevent a user from posting from an external form.

 

When the browser sends a request to domain.com, it first checks if there are any cookies for the given domain and includes them in the headers. Even if the form is on attacker.com, if the form posts to domain.com, it will include all cookies that exist for domain.com

 

Assuming you make sure the cookie is linked to a valid account, the attacker will have to log-in before posting from the external form.

[UnknownPlayer]

I need to put domain for cookie, like ".example.com" or ?

[xyph]

That will be in your cookie regardless. You cannot set a cookie that works over multiple domains, nor will a browser allow a domain to set a cookie for another domain.

 

Your solution here is CAPTCHA. Any other solution will be bypassed. Even weaker CAPTCHAs get cracked, and that's why I suggested using reCAPTCHA. It is the best known way to prevent automated submissions, and most major sites implement it.

 

There's no way to stop external forms being submitted to your site. You can make it slightly more difficult, but you're adding layers of complexity to your script that IMO aren't needed..

[UnknownPlayer]

Ok, thanks..