RE: preventing hacked forms
> > I was wondering what the best method is to confirm that the > > form variable that are submitted were from a page from the > > server and not some hacker downloading the source and > > changing stuff. I know you can use CGI.HTTP_REFERER, however > > this is not always passed by all browsers. Any Ideas. > > If it's important enough you can pass a form variable with an > encoded string that uniquely identifies THIS form that you > handed out. When the form is submitted you validate that the > encoded string is the same one you gave out, and you don't > let them be used twice. That won't stop someone from tampering with the contents of the form that one time, which is all that's really needed. The underlying issue is unavoidable - if you allow someone to communicate with your web server via HTTP, you can't hide data from that person. All data sent to the browser is transparent to that person, and all data from the browser is subject to tampering by that person. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: preventing hacked forms
If it's important enough you can pass a form variable with an encoded string that uniquely identifies THIS form that you handed out. When the form is submitted you validate that the encoded string is the same one you gave out, and you don't let them be used twice. At 02:54 PM 2/23/01 -0500, Greg Wolfinger wrote: >Hey Guys: > >I was wondering what the best method is to confirm that the form variable that are >submitted were from a page from the server and not some hacker downloading the source >and changing stuff. I know you can use CGI.HTTP_REFERER, however this is not always >passed by all browsers. Any Ideas. > >Thanx > >--=@ greg @=-- > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: preventing hacked forms
I would use a client variable myself, which would be set prior to the action page. Then when its posted check the client variable for its existantce and if it contains the right value. Because client varaibles by default get stored in the registry, this shold not be readable by an hacker that can't get access to the template. So therefore you should be able to test for this and redirect the user... You might need to pass the cfid & cftoken incase of the user having cookies switched off:-) This is off the top of my head, and might have a few problems that I might not have thought about -Original Message- From: Cold Fusion [mailto:[EMAIL PROTECTED]] Sent: Saturday, 24 February 2001 8:25 AM To: CF-Talk Subject: Re: preventing hacked forms The way I know of to do this comes from the Perl scripts provided by CyberCash. The idea is that you don't want to simply pass the amount to charge as a form variable, even if it's hidden, as anyone could download the page, modify the amount, then post it. Checking the referrer could help stop many attempts, but not all. So, what the CyberCash scripts do is first get a post that contains the price. Then a random ID is generated, and a temp file containing the temp ID and the price. The ID is then passed with the rest of the information on a second form post, along with the other order info. When the second post arrives, the price is taken from the temp file, looked up by the ID. That way, the price and the rest of the information are passed separately, so the price can't be changed at the next step. HTH, Peter Janett New Media One Web Services WEB HOSTING FOR WEB DEVELOPERS -> Sun, IRIX, NT, Linux <- PHP, MySQL, Perl, Cold Fusion, MS SQL, ASP, SSI, SSL http://www.newmediaone.net [EMAIL PROTECTED] (303)828-9882 - Original Message - From: "Greg Wolfinger" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, February 23, 2001 12:54 PM Subject: preventing hacked forms > Hey Guys: > > I was wondering what the best method is to confirm that the form variable that are submitted were from a page from the server and not some hacker downloading the source and changing stuff. I know you can use CGI.HTTP_REFERER, however this is not always passed by all browsers. Any Ideas. > > Thanx > > --=@ greg @=-- > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: preventing hacked forms
The way I know of to do this comes from the Perl scripts provided by CyberCash. The idea is that you don't want to simply pass the amount to charge as a form variable, even if it's hidden, as anyone could download the page, modify the amount, then post it. Checking the referrer could help stop many attempts, but not all. So, what the CyberCash scripts do is first get a post that contains the price. Then a random ID is generated, and a temp file containing the temp ID and the price. The ID is then passed with the rest of the information on a second form post, along with the other order info. When the second post arrives, the price is taken from the temp file, looked up by the ID. That way, the price and the rest of the information are passed separately, so the price can't be changed at the next step. HTH, Peter Janett New Media One Web Services WEB HOSTING FOR WEB DEVELOPERS -> Sun, IRIX, NT, Linux <- PHP, MySQL, Perl, Cold Fusion, MS SQL, ASP, SSI, SSL http://www.newmediaone.net [EMAIL PROTECTED] (303)828-9882 - Original Message - From: "Greg Wolfinger" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, February 23, 2001 12:54 PM Subject: preventing hacked forms > Hey Guys: > > I was wondering what the best method is to confirm that the form variable that are submitted were from a page from the server and not some hacker downloading the source and changing stuff. I know you can use CGI.HTTP_REFERER, however this is not always passed by all browsers. Any Ideas. > > Thanx > > --=@ greg @=-- > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: preventing hacked forms
> I was wondering what the best method is to confirm that the > form variable that are submitted were from a page from the > server and not some hacker downloading the source and > changing stuff. I know you can use CGI.HTTP_REFERER, however > this is not always passed by all browsers. Any Ideas. What you want to do is impossible within the limitations of the HTTP protocol. Any data from the browser is subject to tampering by the user of that browser. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: [Re: preventing hacked forms]
set a session var on the form page and check it on the action. "Jim McAtee" <[EMAIL PROTECTED]> wrote: Validate all fields, then it shouldn't matter if the form was your own or someone else's. Jim - Original Message - From: "Greg Wolfinger" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, February 23, 2001 12:54 PM Subject: preventing hacked forms > Hey Guys: > > I was wondering what the best method is to confirm that the form variable that are submitted were from a page from the server and not some hacker downloading the source and changing stuff. I know you can use CGI.HTTP_REFERER, however this is not always passed by all browsers. Any Ideas. > > Thanx > > --=@ greg @=-- ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: preventing hacked forms
Relying on cgi.http_referrer is not a good idea anyway because any cgi var that begins with http_ can be spoofed using CFHTTP. It really only helps to keep the newbies honest. Sorry I could be of more help with the securing the form. Duane > -Original Message- > From: Greg Wolfinger [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 23, 2001 2:55 PM > To: CF-Talk > Subject: preventing hacked forms > > > Hey Guys: > > I was wondering what the best method is to confirm that the form > variable that are submitted were from a page from the server and > not some hacker downloading the source and changing stuff. I > know you can use CGI.HTTP_REFERER, however this is not always > passed by all browsers. Any Ideas. > > Thanx > > --=@ greg @=-- > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: preventing hacked forms
Validate all fields, then it shouldn't matter if the form was your own or someone else's. Jim - Original Message - From: "Greg Wolfinger" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, February 23, 2001 12:54 PM Subject: preventing hacked forms > Hey Guys: > > I was wondering what the best method is to confirm that the form variable that are submitted were from a page from the server and not some hacker downloading the source and changing stuff. I know you can use CGI.HTTP_REFERER, however this is not always passed by all browsers. Any Ideas. > > Thanx > > --=@ greg @=-- ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists