Cross Domain Form Posted – PHP Security Fix
We the developers mostly rely on the ready made frameworks now a days and ignoring the common sense security fixes. Everybody knows that when a spammer will attack to your site so he will not do such a hectic activity that he will come to your form page and will enter captcha to spam you again and again. He will get the exact URL of your target page and the fields which are expected to be posted. He might will fix the captcha thing too, depends on his expertise. Now the question is this that if we don’t require cross domain posting so should we allow it or not? If not then are we preventing this attack?
Here is a simple example of a form which will post some input to yourdomain.com/someurl
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Cross Domain Posting</title>
<form action="http://www.yourdomain.com/cross_domain_posted" method="post">
<input name="field1" />
<input name="field2" />
<input type="submit" />
Simple PHP Security FIX
We have no concern that the posted data is through GET or POST or its some AJAX etc. We have to check that if HTTP_HOST and the HOST from the HTTP_REFERER are the same or not? If they are same then its a safe activity else its a spamming activity.
$parse_url = parse_url($_SERVER['HTTP_REFERER']);
echo 'Host From: '.$parse_url['host'].'Host To: '.$_SERVER['HTTP_HOST'];
echo 'Host From: '.$parse_url['host'].'
Host To: '.$_SERVER['HTTP_HOST'];
I hope this snippet will help you to understand that how can we enhance the security either we are using the PHP frameworks or not. And it is not good to blame the frameworks for the security issues. We should be aware of the things which are related to the common sense.
Last updated: March 19, 2014