Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 14 of 14
  1. #1
    Senior Coder chump2877's Avatar
    Join Date
    Dec 2004
    Location
    the U.S. of freakin' A.
    Posts
    2,798
    Thanks
    19
    Thanked 156 Times in 147 Posts

    spoofing HTTP_REFERER?

    I have a form using the GET method.

    I was wondering if I could protect myself (and my form) from remote form submissions by using a HTTP_REFERER check.

    I don't see a way of spoofing the HTTP_REFERER if my form uses the GET method.

    Now, if I were to use POST as my method, then spoofing the HTTP_REFERER is as easy as adding a REFERER value to the HTTP headers of my form results page.

    But with GET, am I safe to use an HTTP_REFERER check on my form's results page, to ensure that the form's submission is only initiated on MY server? So that someone can;t mimic my form's submission on another server? Would this work? Is there a way a hacker might beat this?

    Thanks.
    Last edited by chump2877; 11-22-2006 at 01:56 AM.
    Regards, R.J.

    ---------------------------------------------------------

    Help spread the word! Like my YouTube-to-Mp3 Conversion Script on Facebook !! :)
    [Related videos and tutorials are also available at my YouTube channel and on Dailymotion]
    Get free updates about new software version releases, features, and bug fixes!

  • #2
    Regular Coder
    Join Date
    May 2005
    Posts
    563
    Thanks
    0
    Thanked 3 Times in 3 Posts
    I'd use a session or cookie that gets set on the form page and checked on the results page.

  • #3
    Senior Coder
    Join Date
    Aug 2003
    Location
    One step ahead of you.
    Posts
    2,815
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Quote Originally Posted by chump2877 View Post
    But with GET, am I safe to use an HTTP_REFERER check on my form's results page, to ensure that the form's submission is only initiated on MY server? So that someone can;t mimic my form's submission on another server? Would this work? Is there a way a hacker might beat this?
    It's only as easy as it's with POST. What about those not sending the referrer at all?
    I'm not sure if this was any help, but I hope it didn't make you stupider.

    Experience is something you get just after you really need it.
    PHP Installation Guide Feedback welcome.

  • #4
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,080
    Thanks
    2
    Thanked 321 Times in 313 Posts
    HTTP_REFERER, one of my favorite subjects. All of the HTTP_xxxxxx variables are set through headers sent by the browser/script that is making the request to the web server. They are optional and can be set to anything. You cannot rely on them being present and you cannot rely on the contents. The popular phpproxy script specifically sets HTTP_REFERER to be the same as the URL that is being requested.

    Whether you use the GET or POST method makes no difference (GET is a little easier to abuse, you only need to form a url to submit to your processing code.)

    Do what SeeIT Solutions suggests, but use a session. If you destroy the session within the form processing code, no one can make a copy of the session cookie that is sent and reuse it. If you use a cookie, it would require you to save and remember a unique value, then delete this remembered value, requiring more code (this saving/remembering the unique value is what the session id is doing when using sessions to accomplish this.)
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #5
    Senior Coder chump2877's Avatar
    Join Date
    Dec 2004
    Location
    the U.S. of freakin' A.
    Posts
    2,798
    Thanks
    19
    Thanked 156 Times in 147 Posts
    This is more of a hypothetical question if anything else...I haven;t written any code yet....

    Let's assume that sessions and cookies aren't an option. Let's also assume that the user agent is sending a HTTP REFERER value. (I'm trying to isolate the effectiveness of HTTP_REFERER in a controled situation)

    I simply want to know if HTTP_REFERER would be reliable in this scenario.

    If someone could spoof the HTTP_REFERER in this scenario, how would they do it? I don;t see a way....do you?
    Regards, R.J.

    ---------------------------------------------------------

    Help spread the word! Like my YouTube-to-Mp3 Conversion Script on Facebook !! :)
    [Related videos and tutorials are also available at my YouTube channel and on Dailymotion]
    Get free updates about new software version releases, features, and bug fixes!

  • #6
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,080
    Thanks
    2
    Thanked 321 Times in 313 Posts
    Using curl, the following sets HTTP_REFERER to what ever you want...
    PHP Code:
    curl_setopt($cCURLOPT_REFERER'http://www.yourdomain.com/yourformcode.php'); 
    Edit: Also, using curl, I can send you cookies with anything I want and I can make it look like the request is being made by a browser instead of a script...

    Edit2: More info for the GET method, the form values are sent as part of the URL, but when the URL is sent to the web server, headers are still exchanged in both directions. The GET method is not header-less.
    Last edited by CFMaBiSmAd; 11-22-2006 at 06:49 AM.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #7
    Senior Coder chump2877's Avatar
    Join Date
    Dec 2004
    Location
    the U.S. of freakin' A.
    Posts
    2,798
    Thanks
    19
    Thanked 156 Times in 147 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    Whether you use the GET or POST method makes no difference (GET is a little easier to abuse, you only need to form a url to submit to your processing code.)
    So if GET requires you to send data via the URL and not via the HTTP headers (or maybe that's wrong?), how could one spoof the HTTP REFERER in the HTTP headers of the GET form's processing code? I guess I see how its done with a POST form submission, but not with a GET form submission, thats all...I don;t see how you can open the equivalent of a socket connection to the subsequent page, write to the HTTP headers, and pass a REFERER value via a GET form (AND pass all of the form data to the subsequent page as well via the URL)...

    I'm just trying to figure out how this all works...I'm sure I'm missing something silly or simple...thanks.
    Regards, R.J.

    ---------------------------------------------------------

    Help spread the word! Like my YouTube-to-Mp3 Conversion Script on Facebook !! :)
    [Related videos and tutorials are also available at my YouTube channel and on Dailymotion]
    Get free updates about new software version releases, features, and bug fixes!

  • #8
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,080
    Thanks
    2
    Thanked 321 Times in 313 Posts
    I was editing the above post with the answer at the same time you were asking the question. I guess mind reading does work over the Internet.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #9
    Senior Coder chump2877's Avatar
    Join Date
    Dec 2004
    Location
    the U.S. of freakin' A.
    Posts
    2,798
    Thanks
    19
    Thanked 156 Times in 147 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    Using curl, the following sets HTTP_REFERER to what ever you want...
    PHP Code:
    curl_setopt($cCURLOPT_REFERER'http://www.yourdomain.com/yourformcode.php'); 
    Edit: Also, using curl, I can send you cookies with anything I want and I can make it look like the request is being made by a browser instead of a script...

    Edit2: More info for the GET method, the form values are sent as part of the URL, but when the URL is sent to the web server, headers are still exchanged in both directions. The GET method is not header-less.
    Perhaps I need to read up on curl and how its used...In the past I've only ever used fsockopen() to establish a socket connection (seemed to work for me), so I don;t know much about curl...So you are saying that using curl in this instance, one could beat my hypothetical GET form and my HTTP REFERER check?
    Regards, R.J.

    ---------------------------------------------------------

    Help spread the word! Like my YouTube-to-Mp3 Conversion Script on Facebook !! :)
    [Related videos and tutorials are also available at my YouTube channel and on Dailymotion]
    Get free updates about new software version releases, features, and bug fixes!

  • #10
    Senior Coder chump2877's Avatar
    Join Date
    Dec 2004
    Location
    the U.S. of freakin' A.
    Posts
    2,798
    Thanks
    19
    Thanked 156 Times in 147 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    I was editing the above post with the answer at the same time you were asking the question. I guess mind reading does work over the Internet.
    Haha, I appreciate the help
    Regards, R.J.

    ---------------------------------------------------------

    Help spread the word! Like my YouTube-to-Mp3 Conversion Script on Facebook !! :)
    [Related videos and tutorials are also available at my YouTube channel and on Dailymotion]
    Get free updates about new software version releases, features, and bug fixes!

  • #11
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,080
    Thanks
    2
    Thanked 321 Times in 313 Posts
    Check out the 05-May-2006 04:01 user contributed code at this link - http://us2.php.net/curl

    This code can do both get and post (apparently the GET method is curl's default as you must set the CURLOPT_POST option for the POST method.) The CURLOPT_REFERER would just need to be added to this code.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #12
    Senior Coder chump2877's Avatar
    Join Date
    Dec 2004
    Location
    the U.S. of freakin' A.
    Posts
    2,798
    Thanks
    19
    Thanked 156 Times in 147 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    Check out the 05-May-2006 04:01 user contributed code at this link - http://us2.php.net/curl

    This code can do both get and post (apparently the GET method is curl's default as you must set the CURLOPT_POST option for the POST method.) The CURLOPT_REFERER would just need to be added to this code.
    thanks, that code clears things up...Now I'm doubly convinced that HTTP REFERER is unreliable
    Regards, R.J.

    ---------------------------------------------------------

    Help spread the word! Like my YouTube-to-Mp3 Conversion Script on Facebook !! :)
    [Related videos and tutorials are also available at my YouTube channel and on Dailymotion]
    Get free updates about new software version releases, features, and bug fixes!

  • #13
    Senior Coder
    Join Date
    Aug 2003
    Location
    One step ahead of you.
    Posts
    2,815
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Quote Originally Posted by chump2877 View Post
    s assume that sessions and cookies aren't an option.
    Sessions are always an option. If you can't use cookies you append the id to the url. There is no real possibitity of that not working.
    With sessions you can implement a referrer system for your site which will always work for you.
    I'm not sure if this was any help, but I hope it didn't make you stupider.

    Experience is something you get just after you really need it.
    PHP Installation Guide Feedback welcome.

  • #14
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,642
    Thanks
    0
    Thanked 649 Times in 639 Posts
    To ensure their privacy many web users configure their browser or firewall to NOT send anything in the referrer field.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •