posting form info to a page

posting form info to a page
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Computer Software Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
posting form info to a page cosmic foo 07-19-2005
Posted by cosmic foo on July 19, 2005, 11:42 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Would i be correct to assume that anything
can be posted, it's up to the receiving page
to deal with what it receives?
So one may as well assume that a hacker
can figure out what a page expects or
doesn't expect to receive, and post
whatever they feel like trying.
So it would be incorrect to assume that
just because someone cannot get to a page,
that they cannot post to the page that it posts to.
So it's important to put as much security as
possible into the page being posted to, and
thinking that hidden form fields are actually
hiding anything is a mistake, and creating any
sort of generic post page that updates records
in a database may be impossible to secure.
At the very least, one should verify that the
current user has the right to update a particular
record in a particular table, and then one
might want to keep an audit trail, as well as
take some measure to inhibit page scraping.
Any thoughts??




Posted by SJ on July 20, 2005, 9:22 am
If you were  Registered and logged in, you could reply and use other advanced thread options
cosmic foo wrote:
> Would i be correct to assume that anything
> can be posted, it's up to the receiving page
> to deal with what it receives?
> So one may as well assume that a hacker
> can figure out what a page expects or
> doesn't expect to receive, and post
> whatever they feel like trying.
> So it would be incorrect to assume that
> just because someone cannot get to a page,
> that they cannot post to the page that it posts to.
> So it's important to put as much security as
> possible into the page being posted to, and
> thinking that hidden form fields are actually
> hiding anything is a mistake, and creating any
> sort of generic post page that updates records
> in a database may be impossible to secure.

I disagree. Every server-side application/script
must sanitize and validate its input. All variables.
It should check the input is syntactically correct
(eg. only numbers) and it has a correct meaning
(eg. a valid email address).

Additionally you may authenticate users before
submitting data to your database, thus you may
track your rude users down.

SJ


Similar ThreadsPosted
posting 20050826 August 26, 2005, 2:18 pm
Secure web page? February 22, 2006, 4:16 pm
Web Page Certificates January 20, 2007, 8:03 pm
where can i telnet or do insecure http form? November 29, 2005, 1:47 pm
routers rerouted by web page February 26, 2007, 11:07 am
Web Form Spammers / Email Injection Spamming September 15, 2005, 5:30 am
Weird delay when clicking form elements October 21, 2005, 12:19 pm
need info May 7, 2006, 5:28 pm
SSL info January 2, 2007, 11:42 am
Amazon.com's The Page You Made February 17, 2006, 7:16 pm

The site map in XML format XML site map

Contact Us | Privacy Policy