Why server side validation is important or why spammers love JavaScript validations
It was those days when you could just leave your email out there, have contact, registration and etc forms without any forced validations, only few companies like Yahoo! had CAPTCHA validations…
Yes, those were the days! But now we have JavaScript, CAPTCHA, Audio, Server Side validations to avoid spam and misuse of the forms.
Now, when you are preparing a simple contact form which will email you submissions or feedback form for your company, order forms etc it is come to a point where JavaScript validation is not sufficient. Spammers do love JavaScript validations because they can just bypass them easily. Try it yourself, go find that kind of contact forms and disable JavaScript on your browser and just hit Submit button. See, it says submitted successfully.
PHPSec.org has a very nice article on this.
Not only they can bypass the required fields but they spoof your form with invalid data and spam you. A simple example:
In order to appreciate the necessity of data filtering, consider the following form located (hypothetically speaking) at http://example.org/form.html:
<form action=”/process.php” method=”POST”>
<select name=”color”>
<option value=”red”>red</option>
<option value=”green”>green</option>
<option value=”blue”>blue</option>
</select>
<input type=”submit” />
</form>
Imagine a potential attacker who saves this HTML and modifies it as follows:
<form action=”http://example.org/process.php” method=”POST”>
<input type=”text” name=”color” />
<input type=”submit” />
</form>
This new form can now be located anywhere (a web server is not even necessary, since it only needs to be readable by a web browser), and the form can be manipulated as desired. The absolute URL used in the action attribute causes the POST request to be sent to the same place.
This makes it very easy to eliminate any client-side restrictions, whether HTML form restrictions or client-side scripts intended to perform some rudimentary data filtering. In this particular example, $_POST['color'] is not necessarily red, green, or blue. With a very simple procedure, any user can create a convenient form that can be used to submit any data to the URL that processes the form.
Spoofed HTTP Requests
A more powerful, although less convenient approach is to spoof an HTTP request. In the example form just discussed, where the user chooses a color, the resulting HTTP request looks like the following (assuming a choice of red):
POST /process.php HTTP/1.1
Host: example.org
Content-Type: application/x-www-form-urlencoded
Content-Length: 9
color=red
The telnet utility can be used to perform some ad hoc testing. The following example makes a simple GET request for http://www.php.net/:
$ telnet www.php.net 80
Trying 64.246.30.37…
Connected to rs1.php.net.
Escape character is ‘^]’.
GET / HTTP/1.1
Host: www.php.net
HTTP/1.1 200 OK
Date: Wed, 21 May 2004 12:34:56 GMT
Server: Apache/1.3.26 (Unix) mod_gzip/1.3.26.1a PHP/4.3.3-dev
X-Powered-By: PHP/4.3.3-dev
Last-Modified: Wed, 21 May 2004 12:34:56 GMT
Content-language: en
Set-Cookie: COUNTRY=USA%2C12.34.56.78; expires=Wed,28-May-04 12:34:56 GMT; path=/; domain=.php.net
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=ISO-8859-1
2083
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01Transitional//EN”>
…
Of course, you can write your own client instead of manually entering requests with telnet. The following example shows how to perform the same request using PHP:
<?php
$http_response = ”;
$fp = fsockopen(’www.php.net’, 80);
fputs($fp, “GET / HTTP/1.1\r\n”);
fputs($fp, “Host: www.php.net\r\n\r\n”);
while (!feof($fp))
{
$http_response .= fgets($fp, 128);
}
fclose($fp);
echo nl2br(htmlentities($http_response));
?>
Sending your own HTTP requests gives you complete flexibility, and this demonstrates why server-side data filtering is so essential. Without it, you have no assurances about any data that originates from any external source.
So, let’s make a lesson out of this and validate forms on the server side, validate HTTP requests and headers before we process the forms.
via - http://phpsec.org/projects/guide/2.html
Comments
Leave a Reply
You must be logged in to post a comment.
About
Welcome to Arstan's personal blog. This blog includes tips on Linux, Apache, MySQL, Shell Scripts. Hardware/software and internet technologies reviews and updates.
