发表新帖
发表新帖

Stop Spoofed Form Submissions

后端 未结
关注
11 765
时光说笑
时光说笑 2020-12-21 13:21

I have a question about stopping spoofed form submissions. How about if by using the $_SERVER[\'HTTP_REFERER\'] I only allow submissions to my forms coming from

相关标签:
11条回答
  • 情歌与酒
    2020-12-21 14:00

    Spoofing HTTP headers is pretty easy and so shouldn't be used for something that requires rigorous security. One technique typically used is to send both an encrypted cookie and a matching, encrypted token in a hidden input on the form. The cookie should be an HTTP-only cookie. On form submission check that the value from the cookie and the value from the hidden input match. This will help prevent cross-site request forgeries since a request to your site can't be successfully made from another site because they'll either be missing the cookie (for a MIM attack) or the hidden input (spoofed form). Of course, this depends on you making sure your site is otherwise secure so they can't sniff the tokens to find out what to supply.

    Here's a nice discussion on how this is done in ASP.NET MVC, http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

    0 讨论(0)
  • 谎友^
    2020-12-21 14:04

    Try a captcha like ReCaptcha. Not only you will prevent spambots from spamming your website but you'll also be able to "authorise" only those people who use your form (at least to some extent - they will need to load your form to get the captcha and then send a response).

    0 讨论(0)
  • 没有蜡笔的小新
    2020-12-21 14:04

    Without definition of "spoofing" it would be but empty talk.

    There are a dozen of different "spoofs", each with it's different protection.

    Most general solution is CAPTCHA.

    0 讨论(0)
  • 傲寒
    2020-12-21 14:05

    It would help, and it's fairly easy thing to add but it wont stop a targeted attack, after all you can spoof a HTTP_REFERER header.

    One thing to keep in mind is that a client is not required to send a HTTP_REFERER, so if the header is missing you might want to allow submissions anyway. If this is not possible, then checking HTTP_REFERER wont help you.

    Run a search for CAPTCHA "Completely Automated Public Turing test to tell Computers and Humans Apart", this is what you're really looking for.

    0 讨论(0)
  • 心在旅途
    2020-12-21 14:05

    Doesn't really help. Read this: http://shiflett.org/articles/form-spoofing

    0 讨论(0)
  • 梦毁少年i
    2020-12-21 14:06

    Referer is easy to spoof, so any attacker that wanted to spoof a form submission could just spoof the Referer header as well. Also, I don't believe web browsers are required to send the Referer header, so it could potentially exclude form posts from legitimate users.

    0 讨论(0)
 看不清?
提交回复
热议问题