How to prevent POST from outside the server?

Asked

Viewed 716 times

4

I’m creating an app and I didn’t want some smart-ass thinking about changing the path of a POST html to send the values he wants, so I used a method in PHP:

        $referral=$_SERVER['HTTP_REFERER']; 
        $origin="https://google.com"; 
        $origin2="https://sitepermitido.com/arquivodeorigem.php";
        $refervalid=0; 
            // Testa se o formulário foi submetido da página original
            if($referral==$origin2) $refervalid=1; 
                if((!$refervalid)){
                // dados enviado de servidor externo?                       
                    echo "Acesso negado"; 
                    exit; 
                }

But I’ve seen a lot of people say that this is unsafe, that someone can just "fake" a refer with Curl or something. Then I saw a guy on the Internet .htacess, thus:

<Directory /home/sportfacil/public_html/pastadaaplicação>
   Options Indexes FollowSymLinks
   AllowOverride All
   Order deny,allow

   Deny from all
   Allow from 127.0.0.1
   Allow from localhost
   Allow from ::1
</Directory>

But this I return erro 500, tried several other methods in .htacess but it ends up blocking everything, even if the internal page submit the form.

Is there any more effective way to prevent a action external?

  • 2

    The wise guy do not need to submit a form via localhost, just click on inspect element, find the form and change the input you want... Voila, now we have a breached form sent by the same HTTP_REFERER.

  • 2

    Or still, he doesn’t even need to find a form, he can create his own, everything on the client side is the "client", if your page is published really do not see reason to protect the data so, if your page is private means that the account is the user, if the user is having access to data in the form that should be restricted, then this is a flaw in your development strategy (sorry for the sincerity), has data that really is not necessary to go to the front-end.

  • So there is no safe POST? everyone can be violated!

  • @Cassianojosé the POST is irrelevant, the problem is the data in the POST. If they do not have relevant data in the <form> no security problem, the guy can change the action to send to the devil, that still the devil will only receive data that does not affect security. AS I SAID: There is a way to pass data safely without having to send to the front end. Another thing if your page is PUBLISH, nor need to violate the Forms, just a BOT "download"that has the form and ready your data were compromised...

  • ...continuing, what will make it safe is what YOU EXPOSE on the front end, so the problem is not with Forms, BUT HOW YOU DESIGNED.

2 answers

4


At least it was funny to see how people post such great bullshit on the internet. When that’s how you quote the source.

This code blocks the your internal access and no one’s access. You are the localhost, not the external user. No external user communicates with you by localhost, if that were so, everyone would be localhost and there would be no differentiation between users accessing.

Forget it, you have no control over what others do on their computers. Any attempt to protect yourself from something external will cause further confusion. The only security you can give is to correctly validate all data that comes from outside. This depends on each case but you can not validate intention, only the received data.

There is no effective way to prevent the sending of data the way the user wants, effective is to ensure that all aspects of the received data are in accordance with what you want.

You can’t tell where the information comes from, it’s covert, always. Even the IP is possible to fake if whoever does this does not want to receive a response from your server.

I recommend you remove the "security" you use today. It’s better because it tries to validate the information, but it’s creating a problem that you don’t see. You’re preventing some legitimate access.

When you do software it is more important to test what doesn’t work. Testing is difficult because you don’t always know everything that needs to be tested. Making an analogy, in this case you are trying to find out if the person’s name is spelled correctly. It is impossible to know, it is a problem of the person and not his problem to know what is correct.

I’m amazed that even here everyone, myself included, presents simplified, naive solutions without extensive testing, that probably the people who did, if they were conscious, would not use their codes without a deeper analysis, but who reads goes out using as if the solution was perfect.

Programming is difficult, there are many variants that need to be analyzed, without understanding all the underlying problem, mainly security, will occur in droves.

Today there are campaigns to introduce new programmers into the industry. They have two objectives: 1) to create consumers for programming tools, no matter what results happen, including because wrong programming also makes the industry move; 2) to find quality in quantity, after all there is a hope that all new programmers will seek to understand the basics and all the necessary aspects.

Then question everything you read on the Internet, even what you read here. Here we have people validating the answers but it is common for people to have a low critical sense and not always this validation occur as it should. People have a tendency to want to please more than do right and everyone gets hurt by it. We can call this professional populism. They want to create an appearance of being helpful.

This is still the most likely place to get a more consistent response and develop, but I still recommend studying the workings of the protocols, using a packet parser to see how the data is trafficked, trying to forge the data in all ways. This no one can do for you. Whenever you find a problem and don’t know how to solve it, you should look for reliable and verifiable (plural) sources.

1

But the form data will be sent to your own server or to a third party server ? If it goes to your own server, I think what you can do is establish accepted value rules when picking up the data on the server and returning an error if the data is not within the rules. If it goes to a third party server, you would have to see if you could not send it to your server and then send it to the target server (validation, as the colleague above said).

Browser other questions tagged

You are not signed in. Login or sign up in order to post.