Check where the POST came from

Asked

Viewed 520 times

5

Is there any way to limit the sending of POST forms by third parties to my website? Deny everyone, like there’s the URL that does it like a robot, but I wanted to inhibit, it’s like?

When I say third party I say from another site not being my own.

  • 1

    One of the ways is to examine the HTTP_REFERER server variable, but it can still be forged easily. If you really need protection against this type of submission, it would be the case to use a session variable and an ID in a hidden field of the form, which would limit sending with that ID for a certain time. If the person takes too long in the real form, just present it again, with new hidden ID, keeping the data already filled, and asking that the submission be done again.

  • Frameworks like Laravel 5 limit the type of access of each page by get or post, and if there is a level of permission per user you can still associate the level of access to "post" by certain users only, ie only logged in users with "x" privileges can post on page "y".

  • http://recaptcha.net

  • verify the ip from which the request came would not work? Limit only to the ip of your server

  • @Bacco good idea. but I think they could still get that id if they analyzed the code unless it has a 'seconds limitation' anyway.. Mastria’s response interested me, the IP can also be forged?

  • I don’t really like the idea of putting captcha or using frameworks, even more now that I’m in the middle of an extensive project, I would have to adjust everything again, nor does it scroll, but thank you!

  • @user3715916 id would be different at each session, besides changing in a short time. And it could be used just once each, I can’t imagine that any FW will do much better than that. The advantage of FW is to be ready, but if it is only for this, I think it is better to solve with own code. Even for not needing much.

  • @Elaine what is the purpose of this block? You are, for example, trying to protect a contact form?

  • 1

    I’m trying to protect Flood/spam with a form, I don’t want third parties to use @Peerbr

  • 1

    a captcha would not need to make drastic changes.. just a simple implementation

  • but I don’t like captcha.. there are other ways to solve, because in your case you want to limit to only receive if it comes from your own server..

Show 6 more comments

2 answers

3


For any measure of yours, think of two savings: First, cost of doing nothing (high for a bank, low for a blog) vs. cost of measurement (development, maintenance, friction for legitimate users). Second, measures increase the cost of the attacker more than the cost to you and your users. Security is never absolute and always a compromise.

Limit automated/repeat access (bots/spam)

Forms are abused by flooding manually or automated. Any attack will be as close as possible to a legitimate request - the attacker’s effort will depend on the reward.

  • Use recaptcha etc.
  • Block session or IP after x attempts1
  • Limit sending to x attempts/minute per IP1 or to the entire website (which may harm legitimate users)
  • Return a unique ID that was generated when displaying the form, valid for a single submission and for a limited time (Wikipedia does something similar. The attacker would have to reload the form, increasing the server load)
  • Create a pause interval. If your form responds in 0.5s, a 5s interval is tolerable for users and reduces the number of submissions from 120/s to 12/s
  • Need an e-mail reply
  • Create manual authentication ("your registration needs to be authorized by the administrator").

Limit access of persons not previously authenticated

Remember that HTTP is stateless, no status. In principle, each call you receive without prior history and need to prove that you have approved the issuer before:

  • Prove that the user has been previously authenticated (it provides a cookie or an attribute POST of a session that exists on the server - third parties have to guess or steal the ID of an active session on the server)
  • Prove that he visited another address before (HTTP_REFERER - easily forged)
  • Prove that they know a certain secret (special POST address/password/attribute - can leak or be detected easily).

Limit access to all requests

  • Ban IP sequences (from known offenders, from outside the company/client network, from a certain country - can be forged and disrupt legitimate users by accessing from an unusual place, such as travellers)
  • Ban certain requests (e.g. never receive POST).

1Everything related to IP can be tricked by using multiple Ips, Vpns or acquiring a new IP.

  • The most viable for me would be Provar que o usuário foi autenticado previamente (ele fornece um cookie ou um attributo POST de uma sessão que existe no servidor - mais seguro pois terceiros têm que advinhar ou roubar o ID de uma sessão ativa no servidor) can talk more about?

  • 1

    @Elaine an idea would be to use the captcha with session and combined with ajax, so it would not need authentication, the user would send a POST, the system would request the captcha, if it is human will have to enter the code of the image, After this the user can browse and also can add a timer to expire the session after 10 minutes of inactivity, so you will have to type the captcha again. I think that makes it faster for the user than creating an access account. At the suggestion of captcha, I consider this one of the best possible answers here +1.

  • 1

    @Elaine This describes how Session works in PHP. You start with session_start() at any request, and may use $_SESSION. PHP will take care of the rest for you - to use cookies, puts session.use_cookies = on and session.use_only_cookies = on in php.ini. Note that this does not solve the problem of whosoever can get a Session! Normally, this happens after the user logs in.

-1

Something effective is to check the "dns Reverse lookup". On your hosting provider, set up or ask to set up "dns Reverse lookup" or "reverse dns" in English.

So whenever you receive a request (POST, GET), check the "dns Reverse lookup" by IP.

In PHP there are network functions like gethostbyname, gethostbyaddr and dns_get_record with which you can extract the data to assist in "authentication".

Note that the "dns Reverse lookup" can also be circumvented, so do not trust 100% as if it were an absolute solution. However, it is much safer than checking only HTTP_REFERER. HTTP_REFERER is easily manipulated, including by CURL has an option to do so. But reverse dns requires change in the server configuration that submits the data.

We can say that 99.999% of bots are unable to change the reverse dns of the servers they use because, logistically, bots target millions of servers and would need to modify millions of times the reverse dns of the servers they run their scripts for. It is something unfeasible due to the high cost.

For example, if your site has the www.seu.site address, set the reverse dns to "www.seu.site". In shared hosting server it is not normally allowed to customize, but you can ask the company that manages the server, that at least configure the reverse dns to return a valid name. It usually looks something like "address.provedor.hopedagem".

  • If you know that a person’s IP corresponds to "NET Brazil" (which can be forged by someone forging IP), what is the benefit? See http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/dns-avoid-double-reverse.html

Browser other questions tagged

You are not signed in. Login or sign up in order to post.