Faking $_SERVER['HTTP_REFERER']?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Faking $_SERVER['HTTP_REFERER']?

Postby KallistaAEnvarou » 04. February 2008 10:33

I am using the XMLHttpRequest invented by Microsoft, so I need to use $_SERVER['HTTP_REFERER'] to make sure that people don't submit information directly to my PHP processing files after viewing my JavaScript (which I have hidden via the direct URL but know people can still see it given the right tools). I've heard that the referrer can be faked. How can it be faked in this instance if I've hidden it and I run all HTML changes via it?
KallistaAEnvarou
 
Posts: 126
Joined: 02. December 2007 17:33
Location: Cold Cold California

Postby sari42 » 04. February 2008 11:53

for example by using a Firefox addon: http://stardrifter.org/refcontrol/

(or google for referer spoofing)
sari42
 
Posts: 800
Joined: 27. November 2005 18:28

Postby KallistaAEnvarou » 04. February 2008 11:58

OK, so how can I protect against that? I need to make sure that the $_POST data come from my site and my site alone, and no way I can think of can 100% protect, except this way. I've even thought of XSS, but even that won't completely work because they can look in the JavaScript to find out where to go to get the reset sessions, then fake the $_POST variable.
KallistaAEnvarou
 
Posts: 126
Joined: 02. December 2007 17:33
Location: Cold Cold California

Postby sari42 » 04. February 2008 19:59

in the main application you could set a $_SESSION variable or use a hidden (random) form input and check against it in the response script ....
sari42
 
Posts: 800
Joined: 27. November 2005 18:28

Postby KallistaAEnvarou » 05. February 2008 01:39

Well, the FireBug plugin for FireFox will let people see the HTML changes, so whatever hidden inputs are there people can just look to see what they are and put them in the form they send to my processors.
KallistaAEnvarou
 
Posts: 126
Joined: 02. December 2007 17:33
Location: Cold Cold California

Postby KallistaAEnvarou » 05. February 2008 01:47

Well, the FireBug plugin for FireFox will let people see the HTML changes, so whatever hidden inputs are there people can just look to see what they are and put them in the form they send to my processors.
KallistaAEnvarou
 
Posts: 126
Joined: 02. December 2007 17:33
Location: Cold Cold California

Javascript is too much client-sided

Postby chanio » 12. February 2008 02:28

Hi, I guess that you cannot change that environment variable through your javascript. You need to work with a real server-sided language like PHP. If you need to rewrite that environment variable, constantly, you might keep a session-variable that would have the correct value, and replace the environment value with this one every time that the PHP script is able to write something...
Gallactic Firewall
User avatar
chanio
 
Posts: 72
Joined: 18. March 2003 22:05
Location: Argentina

Postby KallistaAEnvarou » 12. February 2008 05:31

Yeah, that's what I've done. I've also done an onfocus event to replace the value every time one of the body children is focused on, so that in the event of the person switching back and forth among different pages, they can reinstate the value of the page that the user is currently submitting. Hopefully this'll take care of anybody's ability to hack the server with this code.
KallistaAEnvarou
 
Posts: 126
Joined: 02. December 2007 17:33
Location: Cold Cold California


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 33 guests