Faking $_SERVER['HTTP_REFERER']?
8 posts
• Page 1 of 1
Faking $_SERVER['HTTP_REFERER']?
by KallistaAEnvarou » 04. February 2008 10:33
I am using the XMLHttpRequest invented by Microsoft, so I need to use $_SERVER['HTTP_REFERER'] to make sure that people don't submit information directly to my PHP processing files after viewing my JavaScript (which I have hidden via the direct URL but know people can still see it given the right tools). I've heard that the referrer can be faked. How can it be faked in this instance if I've hidden it and I run all HTML changes via it?
- KallistaAEnvarou
- Posts: 126
- Joined: 02. December 2007 17:33
- Location: Cold Cold California
by sari42 » 04. February 2008 11:53
for example by using a Firefox addon: http://stardrifter.org/refcontrol/
(or google for referer spoofing)
(or google for referer spoofing)
- sari42
- Posts: 800
- Joined: 27. November 2005 18:28
by KallistaAEnvarou » 04. February 2008 11:58
OK, so how can I protect against that? I need to make sure that the $_POST data come from my site and my site alone, and no way I can think of can 100% protect, except this way. I've even thought of XSS, but even that won't completely work because they can look in the JavaScript to find out where to go to get the reset sessions, then fake the $_POST variable.
- KallistaAEnvarou
- Posts: 126
- Joined: 02. December 2007 17:33
- Location: Cold Cold California
by KallistaAEnvarou » 05. February 2008 01:39
Well, the FireBug plugin for FireFox will let people see the HTML changes, so whatever hidden inputs are there people can just look to see what they are and put them in the form they send to my processors.
- KallistaAEnvarou
- Posts: 126
- Joined: 02. December 2007 17:33
- Location: Cold Cold California
by KallistaAEnvarou » 05. February 2008 01:47
Well, the FireBug plugin for FireFox will let people see the HTML changes, so whatever hidden inputs are there people can just look to see what they are and put them in the form they send to my processors.
- KallistaAEnvarou
- Posts: 126
- Joined: 02. December 2007 17:33
- Location: Cold Cold California
Javascript is too much client-sided
by chanio » 12. February 2008 02:28
Hi, I guess that you cannot change that environment variable through your javascript. You need to work with a real server-sided language like PHP. If you need to rewrite that environment variable, constantly, you might keep a session-variable that would have the correct value, and replace the environment value with this one every time that the PHP script is able to write something...
Gallactic Firewall
-
chanio - Posts: 72
- Joined: 18. March 2003 22:05
- Location: Argentina
by KallistaAEnvarou » 12. February 2008 05:31
Yeah, that's what I've done. I've also done an onfocus event to replace the value every time one of the body children is focused on, so that in the event of the person switching back and forth among different pages, they can reinstate the value of the page that the user is currently submitting. Hopefully this'll take care of anybody's ability to hack the server with this code.
- KallistaAEnvarou
- Posts: 126
- Joined: 02. December 2007 17:33
- Location: Cold Cold California
8 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 237 guests