Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP Form Security With Referer

Tags:

security

php

xss

I'm putting together a site that will make itself available for user input. I was wondering if writing a function like:

if(getenv("HTTP_REFERER") != 'http://www.myURL.com/submitArea'){
        die('don\'t be an jerk, ruin your own site');   
    }else{
        // continue with form processing    
    }

is enough to prevent cross site form submissions.

EDIT: And if not, what is the best practice for preventing forms from being submitted from other hosts?

like image 704
Howard Zoopaloopa Avatar asked May 15 '10 19:05

Howard Zoopaloopa

3 Answers

Nope - HTTP_REFERER can be freely spoofed on client side and is not a reliable indicator of where a request came from.

Update: I misread the part about cross site forgery: For this, checking the referer is a valid security measure, because CSRF rely on manipulated links pointing to protected pages (that the attacked user has privileges on). User @Rook is correct.

The only exception is if the attack can happen from within the web application that is being attacked, e.g. by injecting malicious JavaScript code. In that case, a referer check is useless because the attack is coming from a "safe" URL, but so is arguably a solution based on a session or one-time token, because the token is in reach of the malicious JavaScript and can be easily retrieved.

However, using a one-time token is highly preferable to protect against this kind of attacks because HTTP_REFERER is stripped out by some proxies.

like image 84
Pekka Avatar answered Sep 21 '22 00:09

Pekka

Actually yes, according to the OWASP CSRF Prevention Cheat Sheet in most cases checking the referer is enough to patch a CSRF vulnerability. Although it is trivial to spoof the referer on your OWN BROWSER it is impossible to spoof it on another browser (via CSRF) because it breaks the rules.

In fact checking the referer is very common to see on embedded network hardware where Memory is scarce. Motorola does this for their Surfboard Cable Modems. I know this first hand, because I hacked them with csrf and then they patched it using a referer check. This vulnerability received a severity metric of 13.5 and according to the Department of Homeland Security this is the most dangerous CSRF vulnerability ever discovered and in the top 1,000 most dangerous software flaws of all time.

like image 3
rook Avatar answered Sep 21 '22 00:09

rook

Using a SESSION will most likely be the better route to prevent cross site form submissions.

like image 3
gurun8 Avatar answered Sep 21 '22 00:09

gurun8
Sign in to Comment

Related questions

Laravel Artisan CLI safely stop daemon queue workers
Laravel - Lock wait timeout exceeded
PHP Login system using Cookies and Salted Hashes
How do I parse partial HTML?
PHP substr after a certain char, a substr + strpos elegant solution?
Static Function Variables and Concatenation in PHP
Free PHP Login Library [closed]
PHP and Static Variables in Object Member Functions
doctrine2 loads one-to-many associations with fetch mode eager using too many SQL queries
PHP not displaying errors - Internal Server Error (500)
Securing a REST API and Slim Framework
Stream context in PHP - what is it?
Nginx + PHP: stop process at canceled request
Implementing a simple queue with PHP and MySQL?
Google API: 404 Domain not found
How to generate "screenshot" of html div with external images?
Performance tips for finding unique permutation
How to solve `SameSite` attribute
Word break in languages without spaces between words (e.g., Asian)?
Checking for PHP session without starting one?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!