Security flaw in web server?

phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
Scenario:

Website XYZ has a form. When the form is filled out and the user clicks on submit, the fields are emailed to a mailbox.

If I copied the source code of the website, pasted it in notepad and "modified" a few lines of code, saved it as index.html on my desktop and opened it, if I fill out the form and click submit, should it process the info just as it would normally from the actual website?

Comments

  • tierstentiersten Member Posts: 4,505
    Assuming you make it POST/GET to the correct address and the necessary referer faking if it checks then yes.

    This is why the form mail scripts which are written correctly only accept emails to a hardcoded list of recipients. If they didn't then you'd be able to spam people via the script.

    The ability to alter the page isn't a security flaw BTW.
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    tiersten wrote: »
    The ability to alter the page isn't a security flaw BTW.

    That I know.

    I always thought that the server would check the source of the form against itself even if the mailto address associated with the submit button hasnt been changed.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    That's a lot of work. Just use the Tamper Data add-on for Firefox ;)
  • tierstentiersten Member Posts: 4,505
    phoeneous wrote: »
    I always thought that the server would check the source of the form against itself even if the mailto address associated with the submit button hasnt been changed.
    How do you check the source of the form? You're trusting the client which is inherently insecure. Even if you did add some sort of Javascript that tried to view the page source to see if anything had been altered, you can't guarantee that they've not altered the Javascript or the browser to return the original values. As such, protection mechanisms like this are pointless. The server would also have to cache every single page it generated if it contains a form and then match it up with the form submission later on.

    As Dynamik pointed out, there are significantly easier ways to tampering with form submissions since you control the client.

    The form mail scripts also need to sanitise the inputs like subject, from and content since you can do tricks with control characters to get through the checking/protection within the script.
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    tiersten wrote: »
    How do you check the source of the form?


    I have no clue :)
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    phoeneous wrote: »
    I have no clue :)
    That's tiersten's point. You cannot. Verification of HTTP_REFERER is next to pointless. What needs to be watched is the input and the script should only be allowed to send to hard coded addresses.

    I once found a Perl script that allowed you to specifiy the recipient via a hidden HTML form field. Any script kiddy could spam with it.

    There is no way to keep someone from being a DB and emailing you garbage unless you use a security check such as captcha (type the words in the image above). But the script will be secure if it is looking into the data provided by the client and removong this like ` and ; and there is a way to look handle SQL injection provided that is required.
Sign In or Register to comment.