Loading ...
Sorry, an error occurred while loading the content.
 

Form Problem.

Expand Messages
  • pkunal
    All, The situation is this. On my web page products.asp I am displaying all the products from my database and allow the user to select the quantity he wants
    Message 1 of 5 , Jul 17, 2003
      All,

      The situation is this.

      On my web page "products.asp" I am displaying all the products from
      my database and allow the user to select the quantity he wants to
      buy.

      So to make it short:
      "$itemCode" comes after a query to the database for each item in
      database. The form looks like this:

      <form action="/asp/verify.asp">
      <select name="Qty_<%=$itemCode%>">
      <option selected>0</option>
      <option>1</option>
      <option>2</option>
      <option>3</option>
      </select>
      <input type="submit" name="SUBMIT">
      </form>

      So the quantity is passed to "verify.asp" through the querystring
      and looks like this:
      http://....../verify.asp?Qty_1=1&Qty_2=3....

      The query string gets long depending on the number of products I
      have. Then I again retrieve the "itemcode" and its
      selected "quantity" on the "verify.asp" page using "$Request-
      >QueryString()" object.

      I am not happy with this solution. As it makes the website
      vulnerable as a user can input anything in the
      querystring "http://....../verify.asp?Qty_1=1&Qty_2=3....".

      Please suggest a good way to do this.

      Thanks,
      Kunal Parekh.


      ---------------------------------------------------------------------
      To unsubscribe, e-mail: asp-unsubscribe@...
      For additional commands, e-mail: asp-help@...
    • Thanos Chatziathanassiou
      You can try (by personal order of preference): a) setting something completely random in the $Session object in the form s page and checking for its existence
      Message 2 of 5 , Jul 18, 2003
        You can try (by personal order of preference):
        a) setting something completely random in the $Session object in the
        form's page and checking for its existence in the verify.asp. If it
        isn't there, reject the data.
        b) check the HTTP_REFERER and reject if it's not the one You're
        expecting (the page the form is in)
        c) using POST instead of GET, so as not to worry about the amount of
        user input (and making it a little more complicated to ``fabricate'' a
        request by hand).
        d) obfuscating the form input, so as not to make it so obvious.
        e) accepting form input only from trusted sources (ie registered and/or
        authenticated users).
        f) IP address restriction (kinda like defeats the purpose of the web,
        don't it ?)
        g) any combination of the above.

        A sufficiently motivated ``bad guy'' will most definately find ways to
        overcome all the above methods, especially if it's worth the trouble. YMMV.
        That's all I can think of right now. I'm sure others will contribute
        their favourite methods too. Maybe we can compile an exhaustive list of
        those (should we?).

        Regards,
        Thanos Chatziathanassiou


        pkunal wrote:

        >All,
        >
        >The situation is this.
        >
        >On my web page "products.asp" I am displaying all the products from
        >my database and allow the user to select the quantity he wants to
        >buy.
        >
        >So to make it short:
        >"$itemCode" comes after a query to the database for each item in
        >database. The form looks like this:
        >
        ><form action="/asp/verify.asp">
        ><select name="Qty_<%=$itemCode%>">
        ><option selected>0</option>
        ><option>1</option>
        ><option>2</option>
        ><option>3</option>
        ></select>
        ><input type="submit" name="SUBMIT">
        ></form>
        >
        >So the quantity is passed to "verify.asp" through the querystring
        >and looks like this:
        >http://....../verify.asp?Qty_1=1&Qty_2=3....
        >
        >The query string gets long depending on the number of products I
        >have. Then I again retrieve the "itemcode" and its
        >selected "quantity" on the "verify.asp" page using "$Request-
        >
        >
        >>QueryString()" object.
        >>
        >>
        >
        >I am not happy with this solution. As it makes the website
        >vulnerable as a user can input anything in the
        >querystring "http://....../verify.asp?Qty_1=1&Qty_2=3....".
        >
        >Please suggest a good way to do this.
        >
        >Thanks,
        >Kunal Parekh.
        >
        >
        >---------------------------------------------------------------------
        >To unsubscribe, e-mail: asp-unsubscribe@...
        >For additional commands, e-mail: asp-help@...
        >
        >



        ---------------------------------------------------------------------
        To unsubscribe, e-mail: asp-unsubscribe@...
        For additional commands, e-mail: asp-help@...
      • KUNAL PAREKH
        Thanos, Thank you for your reply. My response to the suggestions you provided is as ... If I make a session variable like this: $Session- {SomethingRandom} =
        Message 3 of 5 , Jul 18, 2003
          Thanos,

          Thank you for your reply.

          My response to the suggestions you provided is as
          follows:

          > You can try (by personal order of preference):
          > a) setting something completely random in the
          > $Session object in the
          > form's page and checking for its existence in the
          > verify.asp. If it
          > isn't there, reject the data.

          If I make a session variable like this:
          $Session->{SomethingRandom} =
          "Qty_$itemCode=2&Qty_$itemCode=3......"

          That could work. However can this session variable be
          made on the same page as "products.asp" as soon as the
          form "Submit" button is clicked? If yes please let me
          know how.

          > b) check the HTTP_REFERER and reject if it's not the
          > one You're
          > expecting (the page the form is in)

          I will have to read more about this. I am not familiar
          with this method.

          > c) using POST instead of GET, so as not to worry
          > about the amount of
          > user input (and making it a little more complicated
          > to ``fabricate'' a
          > request by hand).

          The problem with POST and GET method is I will have to
          name each form variable. This is not possible in my
          case as I am naming the variables as "Qty_$itemCode"
          where $itemCode comes from the "products" database and
          I expect it to change very often. I think I understood
          right what you were saying however if I missed the
          point let me know.


          > d) obfuscating the form input, so as not to make it
          > so obvious.

          No. There is no limitation of obfuscation. There is
          always a possiblity of someone outsmarting you.

          > e) accepting form input only from trusted sources
          > (ie registered and/or
          > authenticated users).

          Well on most ASP sites I visit (and even like to
          visit) you can always see their products page first
          even without registering at the site. Sometimes start
          shopping and register when you are "Checking Out". I
          would like to keep it the same. Later on every page
          can be visited only by registered users.

          > f) IP address restriction (kinda like defeats the
          > purpose of the web,
          > don't it ?)

          I think too its not a practical solution.
          > g) any combination of the above.


          So please expand on your suggestion "a".

          Please try to answer the question I have related to
          suggestion a.

          Thanks,
          Kunal Parekh.

          __________________________________
          Do you Yahoo!?
          SBC Yahoo! DSL - Now only $29.95 per month!
          http://sbc.yahoo.com

          ---------------------------------------------------------------------
          To unsubscribe, e-mail: asp-unsubscribe@...
          For additional commands, e-mail: asp-help@...
        • Tim Pushor
          Hi, So what is the problem? What are you worried about? What does the badguy have to gain by formulating his own query string? ... To unsubscribe, e-mail:
          Message 4 of 5 , Jul 18, 2003
            Hi,

            So what is the problem? What are you worried about?

            What does the badguy have to gain by formulating his own query string?

            pkunal wrote:

            >All,
            >
            >The situation is this.
            >
            >On my web page "products.asp" I am displaying all the products from
            >my database and allow the user to select the quantity he wants to
            >buy.
            >
            >So to make it short:
            >"$itemCode" comes after a query to the database for each item in
            >database. The form looks like this:
            >
            ><form action="/asp/verify.asp">
            ><select name="Qty_<%=$itemCode%>">
            ><option selected>0</option>
            ><option>1</option>
            ><option>2</option>
            ><option>3</option>
            ></select>
            ><input type="submit" name="SUBMIT">
            ></form>
            >
            >So the quantity is passed to "verify.asp" through the querystring
            >and looks like this:
            >http://....../verify.asp?Qty_1=1&Qty_2=3....
            >
            >The query string gets long depending on the number of products I
            >have. Then I again retrieve the "itemcode" and its
            >selected "quantity" on the "verify.asp" page using "$Request-
            >
            >
            >>QueryString()" object.
            >>
            >>
            >
            >I am not happy with this solution. As it makes the website
            >vulnerable as a user can input anything in the
            >querystring "http://....../verify.asp?Qty_1=1&Qty_2=3....".
            >
            >Please suggest a good way to do this.
            >
            >Thanks,
            >Kunal Parekh.
            >
            >
            >---------------------------------------------------------------------
            >To unsubscribe, e-mail: asp-unsubscribe@...
            >For additional commands, e-mail: asp-help@...
            >
            >
            >



            ---------------------------------------------------------------------
            To unsubscribe, e-mail: asp-unsubscribe@...
            For additional commands, e-mail: asp-help@...
          • Thanos Chatziathanassiou
            Well, the previous post pretty much posed an interesting question.. Since you re going to verify everything yet again, as the user is moving to purchase,
            Message 5 of 5 , Jul 21, 2003
              Well, the previous post pretty much posed an interesting question..
              Since you're going to verify everything yet again, as the user is moving
              to purchase, what's the problem with a bad guy playing around with the
              form a bit ?
              Anyways, here we go...

              KUNAL PAREKH wrote:

              >If I make a session variable like this:
              >$Session->{SomethingRandom} =
              >"Qty_$itemCode=2&Qty_$itemCode=3......"
              >
              >That could work. However can this session variable be
              >made on the same page as "products.asp" as soon as the
              >form "Submit" button is clicked? If yes please let me
              >know how.
              >
              Actually, I was thinking more in the sense of:
              --snip products.asp--
              <%
              $Session->{'random'} = time();
              %>
              <form action="verify.asp"......
              --snip products.asp--

              --snip verify.asp--
              <%
              if ($Session->{'random'} < (time()-7200) ) { # $Session->{'random'}
              has not been set in the last 2 hours....
              die "Bad boy!!!\n";
              }
              ....
              %>
              --snip verify.asp--

              >>b) check the HTTP_REFERER and reject if it's not the
              >>one You're
              >>expecting (the page the form is in)
              >>
              >>
              >I will have to read more about this. I am not familiar
              >with this method.
              >
              Something like :
              --snip verify.asp--
              <%
              if ($Request->ServerVariables('HTTP_REFERER') !~ /products\.asp/) {
              # HTTP_REFERER SHOULD point to the page where the user was selecting
              products
              die "Bad boy!!!\n";
              }
              ....
              %>
              --snip verify.asp--

              >>c) using POST instead of GET, so as not to worry
              >>about the amount of
              >>user input (and making it a little more complicated
              >>to ``fabricate'' a
              >>request by hand).
              >>
              >>
              >
              >The problem with POST and GET method is I will have to
              >name each form variable. This is not possible in my
              >case as I am naming the variables as "Qty_$itemCode"
              >where $itemCode comes from the "products" database and
              >I expect it to change very often. I think I understood
              >right what you were saying however if I missed the
              >point let me know.
              >
              I didn't realize the You're parsing the QueryString by hand..
              You can, of course do the same with POST, just look for $Request->Form
              (reference to a hash - see Apache::ASP site for details) and iterate
              over the keys.
              Or even (OK, I know I'm pushing things a bit, but), if you don't feel
              comfortable wit that...
              how about creating a hidden form element, where you just name the fields
              you should be collecting, something like
              <input type="hidden" name="index" value="Qty_$itemCode">

              >>d) obfuscating the form input, so as not to make it
              >>so obvious.
              >>
              >>
              >No. There is no limitation of obfuscation. There is
              >always a possiblity of someone outsmarting you.
              >
              Fair enough...

              Regards,
              Thanos Chatziathanassiou




              ---------------------------------------------------------------------
              To unsubscribe, e-mail: asp-unsubscribe@...
              For additional commands, e-mail: asp-help@...
            Your message has been successfully submitted and would be delivered to recipients shortly.