Page 1 of 1
Faking $_SERVER['HTTP_REFERER']?
Posted:
04. February 2008 10:33by KallistaAEnvarou
I am using the XMLHttpRequest invented by Microsoft, so I need to use $_SERVER['HTTP_REFERER'] to make sure that people don't submit information directly to my PHP processing files after viewing my JavaScript (which I have hidden via the direct URL but know people can still see it given the right tools). I've heard that the referrer can be faked. How can it be faked in this instance if I've hidden it and I run all HTML changes via it?
Posted:
04. February 2008 11:53by sari42
for example by using a Firefox addon:
http://stardrifter.org/refcontrol/
(or google for referer spoofing)
Posted:
04. February 2008 11:58by KallistaAEnvarou
OK, so how can I protect against that? I need to make sure that the $_POST data come from my site and my site alone, and no way I can think of can 100% protect, except this way. I've even thought of XSS, but even that won't completely work because they can look in the JavaScript to find out where to go to get the reset sessions, then fake the $_POST variable.
Posted:
04. February 2008 19:59by sari42
in the main application you could set a $_SESSION variable or use a hidden (random) form input and check against it in the response script ....
Posted:
05. February 2008 01:39by KallistaAEnvarou
Well, the FireBug plugin for FireFox will let people see the HTML changes, so whatever hidden inputs are there people can just look to see what they are and put them in the form they send to my processors.
Posted:
05. February 2008 01:47by KallistaAEnvarou
Well, the FireBug plugin for FireFox will let people see the HTML changes, so whatever hidden inputs are there people can just look to see what they are and put them in the form they send to my processors.
Javascript is too much client-sided
Posted:
12. February 2008 02:28by chanio
Hi, I guess that you cannot change that environment variable through your javascript. You need to work with a real server-sided language like PHP. If you need to rewrite that environment variable, constantly, you might keep a session-variable that would have the correct value, and replace the environment value with this one every time that the PHP script is able to write something...
Posted:
12. February 2008 05:31by KallistaAEnvarou
Yeah, that's what I've done. I've also done an onfocus event to replace the value every time one of the body children is focused on, so that in the event of the person switching back and forth among different pages, they can reinstate the value of the page that the user is currently submitting. Hopefully this'll take care of anybody's ability to hack the server with this code.