I came across a site where the guy out there sells some php scripts. He has a demo page for a $6 rating system. I was wondering, with all the good design of the site, how secure his script is.
First of all, I write about form spoofing and take the guy's script as example after I informed him about the security hole in his stuff and I have seen that he has corrected the problem. I didn't even receive thanks from him :-(
Anyway, look at the demo page (before I do anything):
Pay attention to the number of votes and stars for each car. I saved this page on my local computer as a HTML page. I opened it with my text editor and I modified it. I’ll take only one car as example because I did the same thing with the other cars. The goal is to make the result of vote for each car equal to 5 stars with just one click each.
Here is the html code for a car-rating form before modification (I stripped all html tags like tables, fonts, etc... for readability):
First, take a look at the form tag. There is no action attribute. It means that the form will be submitted to the same URL. I then copied the URL from the browser and added an action attribute to the form tag.
Second, look at the rating average. I want to make it greater than 5 to get my five stars. So, I modified the value of the first input tag from 5 to 5000. Now, the "excellent" choice has a value of 5000.
Here is the result
I did the same thing for the other cars. I saved my page and opened it in my browser. For each car, I chose the "excellent" radio button and clicked "Rate".
Here is the result:
All cars get 5 stars with one click. Look at the number of votes (+1).
Conclusion:
In this example the guy assumes that the value of the chosen option is between 1 and 5 and has never thought that it can be modified by a user.
NEVER, NEVER trust the user input data. Filter all what you get from the user: forms, cookies, request headers, etc...
First of all, I write about form spoofing and take the guy's script as example after I informed him about the security hole in his stuff and I have seen that he has corrected the problem. I didn't even receive thanks from him :-(
Anyway, look at the demo page (before I do anything):
Pay attention to the number of votes and stars for each car. I saved this page on my local computer as a HTML page. I opened it with my text editor and I modified it. I’ll take only one car as example because I did the same thing with the other cars. The goal is to make the result of vote for each car equal to 5 stars with just one click each.
Here is the html code for a car-rating form before modification (I stripped all html tags like tables, fonts, etc... for readability):
<form method=post>
Rating: <img src="./25star.gif" alt="Average rating: 2.9361702127662"> After 517 Votes
<input type=radio name=note value=5>Excellent
<input type=radio name=note value=4>Very Good
<input type=radio name=note value=3>Good
<input type=radio name=note value=2>Fine
<input type=radio name=note value=1>Bad
<input type=hidden name=envoi value=1>
<input type=hidden name=mpo value=2>
<input type=submit value=Rate>
</form>
First, take a look at the form tag. There is no action attribute. It means that the form will be submitted to the same URL. I then copied the URL from the browser and added an action attribute to the form tag.
Second, look at the rating average. I want to make it greater than 5 to get my five stars. So, I modified the value of the first input tag from 5 to 5000. Now, the "excellent" choice has a value of 5000.
Here is the result
<form method=post
action="http://searchall.iwebland.com/dt/demo_page.php">
Rating: <img src="./25star.gif" alt="Average rating: 2.9361702127662"> After 517 Votes
<input type=radio name=note value=5000>Excellent
<input type=radio name=note value=4>Very Good
<input type=radio name=note value=3>Good
<input type=radio name=note value=2>Fine
<input type=radio name=note value=1>Bad
<input type=hidden name=envoi value=1>
<input type=hidden name=mpo value=2>
<input type=submit value=Rate>
</form>
I did the same thing for the other cars. I saved my page and opened it in my browser. For each car, I chose the "excellent" radio button and clicked "Rate".
Here is the result:
All cars get 5 stars with one click. Look at the number of votes (+1).
Conclusion:
In this example the guy assumes that the value of the chosen option is between 1 and 5 and has never thought that it can be modified by a user.
NEVER, NEVER trust the user input data. Filter all what you get from the user: forms, cookies, request headers, etc...
16 Jan 2006 15:27:49
Good hint boss, thx :)
23 Nov 2006 05:54:29
Nice catch. Too bad this is so widespread.
21 Nov 2007 13:00:57
Another good option, which I have been using for long time, is to use URL Paramters tool bar for FireFox. You can have more fun ;)
10 Jun 2010 10:20:21
Nice example for who are in starting stage in php....how do you prevent form spoofing
06 Oct 2010 10:35:32
I understand how someone could spoof a form now. But what's the other side of the operation? Is there anything in the HTTP POST that would tell the server where the form submission is coming from? like say I have a login page for my php web app and I want to make sure that people are ONLY logging in via my page. Is there information in the HTTP POST submission that could be used to track this?