Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to prevent HTTP Spoofing?

Tags:

php

spoofing

We have created a database driven website using PHP with set cookies and now need to prevent HTTP spoofing, any ideas on how to do this? we are beginners with this so any help would be greatful

like image 943
Jermain Avatar asked Feb 21 '10 23:02

Jermain

People also ask

How can spoofing be prevented?

Packet filtering can prevent an IP spoofing attack since it is able to filter out and block packets that contain conflicting source address information. Using cryptographic network protocols such as HTTP Secure (HTTPS) and Secure Shell (SSH) can add another layer of protection to your environment.

What is http spoofing?

One common method of attack is called HTTPS spoofing, in which an attacker uses a domain that looks very similar to that of the target website. With this tactic, also known as “homograph attack”, the characters in the target domain are replaced with other non-ASCII characters that are very similar in appearance.

Does https prevent spoofing?

Finally, detecting IP spoofing is virtually impossible for end-users. They can minimize the risk of other types of spoofing, however, by using secure encryption protocols like HTTPS—and only surfing sites that also use them.

What prevents IP spoofing?

To help prevent IP spoofing, you should use a VPN to hide your IP address. Then, monitor your network for suspicious activity with a firewall, which uses a packet filter that inspects IP packet headers. Only visit secure sites that use HTTPS protocol, and make sure to use strong passwords everywhere possible.

1 Answers

You cannot "spoof" HTTP requests. You send a request to the server, and the server responds appropriately.

I think what you are trying to prevent is cookie spoofing. Considering that cookies are stored on the client-side, there is nothing you can do to prevent users from modifying theirs contents.

Do not store sensitive information in your cookies. They are not secure and easily read and modified by the client.

Use PHP sessions instead. The full explanation on how sessions work and how to keep them secure can be read in one of my previous answers.

Essentially, securing sessions is done on two fronts:

  • Preventing session fixation
    Regenerate a new session_id every X number of requests in order to reduce the amount of time an attacker has to steal the id.

  • Uniquely identify the client
    Use the IP and/or the User-Agent to uniquely identify the client and check that value on every page load against the ones stored in the session. This is really the only two choices you have to uniquely identify the client.

Even with that in place, no solution is fool-proof and once your session_id is compromised, you are pretty much done for.

Again, for an in-depth explanation, please see my previous answer.

like image 131
Andrew Moore Avatar answered Sep 23 '22 10:09

Andrew Moore
Sign in to Comment

Related questions

Best Practices for creating a PHP INI/CONFIG file and keep it secure
How to enable imagecreatefromgif/imagecreatefromjpeg/imagecreatefrompng in PHP?
Have some RewriteCond's affect multiple rules
Utilities file in php?
keep user logged in when he visit the same page again?
ServiceLocator and the Open/Closed Principle
An efficient way to save an Array and its Keys to a database
Preg_Replace and UTF8
try to open a page every 10 seconds
Not finding elements using getElementsByTagName() using DOMDocument
oAuth with PHP (for google api)
How to create array-like data-structures with object keys in PHP?
Autotest equivalent for PHP?
How Does the Zend Application / Bootstrapping Work?
Stopping people from hijacking a voting system using PHP?
Read user home directory from PHP
Sorting postgresql database dump (pg_dump)
php get 1st value of an array (associative or not)
Is there any Django-esque PHP framework I can use? [closed]
Mysql Real Escape String PHP Function Adding "\" to My Field Entry

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!