Jump to content

Recommended Posts

Hi there, I've looked into the PHP superglobal array $_SERVER, but could not find a variable that stores the plugins a client has on his/her browser such as firefox and google chrome. The point here is to detect if a user has hacking addons such as firebug and inspect element installed, and displays an error message telling the user to disable such plugins in order to access site content. Is it possible to accomplish such tasks? Please help.

Well, I got news for you. They don't need firebug to do that, and trying to stop access to anyone who has firebug installed is a waste of time. All anyone has to do is copy the page source and paste it into a text editor to do the exact same thing. That's why you validate and sanitize any incoming data, every time, all the time.

I see, mind showing me an example of data validation given the following form submission example below?

 

		$article_content = $article_content."<br><img src='{$adoptimage}' border='0'><br>
		<form name='form1' method='get' action='poundpost.php'>
		  <p>
			<input name='aid' type='hidden' id='aid' value='{$row['aid']}'>
			<input name='type' type='hidden' id='type' value='{$row['type']}'>
			<input name='name' type='hidden' id='name' value='{$row['name']}'>
			<input name='currentlevel' type='hidden' id='currentlevel' value='{$row['currentlevel']}'>
		  </p>
		  <p>
			<input type='submit' name='Submit' value='Adopt Me'>
		</p>
		</form>";
	}

The important thing to remember is that there's no single right way to validate and sanitize data that applies to all types of data, in all situations. Data being inserted into a database is handled differently than data that will be written to a file or simply be displayed after the form is submitted. Sometimes you can validate tightly and allow only a certain set of characters, other times you can't. A lot depends on what values you would consider to be valid, and what you intend to do with the data.

 

I'm mostly guessing here, since I can't be certain what the values are that you'd expect in each of those fields, but I'll assume that 'aid', 'type' and 'currentlevel' are integers, and name is a string that can only consist of letters, spaces and (for the sake of demonstration) single quotes. So for the integers, I'd make sure the trim()med value is a string of digits, then cast the value as an integer. All of this assumes your end goal is to insert this data into a MySQL database . . .

 

For the fields that should contain integers:

$aid = trim($_POST['aid']);
if( !empty($aid) && ctype_digit($aid) ) {
     $aid = (int) $aid;
} else {
     // validation failed, so set an error or however you want to handle it
}

 

For the string value

$name = trim($_POST['name']);
$needle = array(' ', "'");
if( !empty($name) && ctype_alpha(str_replace($needle, '', $name)) ) {
     $name = mysql_real_escape_string($name);
} else {
     // validation failed
}

For the specific example form you posted, you should pass the minimum necessary information through it. It would appear that the id identifies the row in the database table that holds the other values. Just pass the id through the form. No need to pass the other values because you already know what they are from the id.

 

Doing so will also mean less values to validate, less html to produce and send to the browser, less data being submitted back to the server, and less code all around.

Well I dont think you get the point I am making. It is not the data type the user inputs that I need to validate, I already know what to do with this. The problem is that they can use firebug or inspect element to change the hidden values in a form, such as an id that they are not supposed to know what it is. Is there a way to prevent them from using firebug and inspect element?

As I already said, you don't need any browser plugin to do that. Anyone with a text editor can change the value of any form field, whether or not it's "hidden", since it still shows in the source markup. If there are values you don't want the user to have access to, you need to keep them server side, in $_SESSION variables.

They don't need firebug to do that...

 

^^^ See the information already stated.

 

There's no point in trying to detect a client side tool like that because you don't need any tool other than a browser and a simple editor to see and get the HTML of the form and produce a form that has any value for any hidden field and submit it to your server.

 

What exact problem are you having with a potential change in an id value? You should already be checking when you produce the form and when you process the form submission that the current visitor has the necessary permissions to access the specific id value, and depending on what you are actually doing, you can probably just store the id in a session variable on the server and not even pass it through the form.

To directly answer your question, no there is no server-side way to determine what plugins a user has installed in their browser.  It is possible to do some detection client-side with javascript, and either pop a hidden field to send to server, submit info via ajax or just output message directly with javascript.  However, all these things are easy to get past anyways, and in no way really hinders the points stated by others.

 

In short, you are approaching this issue the wrong way, look into advice already posted (ask for details if you don't understand)

I see, so storing the hidden field info in session variables will resolve the problem? I've never used sessions before, does the code below work?

 

$_SESSION['id'] = $id 

 

I will have to start a session before outputting the form to users and close it once user has submitted his/her inputs, is this correct?

... will resolve the problem?

 

What problem? You haven't provided any information on the significance and meaning of the id and how it is related to any specific user. No one can tell you yet if using a session to hold the value will accomplish what you are trying to do because we don't know what it is you are trying to do.

Well here is an example of what I was referring to:

 

http://oi56.tinypic.com/hwxvut.jpg

 

As you can see from this screenshot, in which a user access the site with inspect element. She could edit the id of the pets from the list to any values she wants, and thus mess up with the form data. Is there a way to prevent this?

The simple answer is no. The Inspect element is just a handy tool for developers to view/edit the source without leaving the page..

As previously stated, there is NO point in detecting plugins. NOTHING is stopping a person from right clicking your page, going to View Source and saving it to their computer and changing it as they see fit and submitting back to your server.

 

If you have an option you don't want people to be able to edit.. Don't give people the option.

Your best protection is a good solid backend. Making sure, as previously said, that the input being posted is ALLOWED to be posted by that person.

 

Okay I think we can agree that detecting what plug-ins are used isn't going to help..

 

Also the problem is people are changing values and get extra goodies, So how to deal with it,

 

I have created a simple example shop, to help explain the problem and the solution,

 

the below code is a gun shop for a game, now to keep it simple I have used GET instead of post,

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Gun shop</title>
</head>
<body>
<?php
$money = 75;
$items = array(
1 => array("Name" => "small gun", "Price" => 10),
2 => array("Name" => "medium gun", "Price" => 50),
3 => array("Name" => "large gun", "Price" => 100)
);

//Purchase
if(!empty($_GET['do']) && !empty($_GET['id']) && $_GET['do'] == 'purchase'){
    echo "<p>You have purchased the ".$items[$_GET['id']]['Name']."</p>";
}

foreach($items as $id => $item){
  echo $item['Name'];
  if($item['Price'] <= $money){
    echo ' <a href="?do=purchase&id='.$id.'">Buy Now</a>';
  }else{
    echo ' <a href="javascript:alert(\'Need more money\');">need more funds</a>';
  }
  echo "<br />";
}
?>
</body>
</html>

 

Now if you click on the small gun "buy now" it tell you you have purchased it, yay,

same for the medium gun.. but if you want the large.. no joy..

 

BUT if you just change the id to 3 on the URL (or in your case changed a value in a form via whatever method) your see you can buy the large gun..

 

So how do we stop that.. well the display is only to help the user choose, you should never work under the impression that if you don't display something then its secure, as its NOT..

 

So to plug our exploit, we need to check if they have the money after the get/post same as we checked when we displayed it,

 

So now if you change

//Purchase
if(!empty($_GET['do']) && !empty($_GET['id']) && $_GET['do'] == 'purchase'){
    echo "<p>You have purchased the ".$items[$_GET['id']]['Name']."</p>";
}

to

//Purchase
if(!empty($_GET['do']) && !empty($_GET['id']) && $_GET['do'] == 'purchase'){
  if($items[$_GET['id']]['Price'] <= $money){ //Added IF statement
    echo "<p>You have purchased the ".$items[$_GET['id']]['Name']."</p>";
  }
}

your find you can no longer get the large gun,

 

Hope that helps

 

EDIT:

Now just say you your shop will display a random item with the option to buy it, then your need to check that, that item was on offer to that user, so save its ID in a session or a database whatever.. just somewhere the user can't access,

 

In case stating it one more time will help -

 

You should already be checking when you produce the form and when you process the form submission that the current visitor has the necessary permissions (money/level) to access (buy) the specific id value

The id is passed as a hidden field in the form so that users wont be able to edit it as they wish.

 

I don't know how many more ways this can be stated: a hidden field does not prevent anyone from changing a damn thing.

 

All anyone has to do is copy the page source and paste it into a text editor to do the exact same thing. That's why you validate and sanitize any incoming data, every time, all the time.

 

Anyone with a text editor can change the value of any form field, whether or not it's "hidden", since it still shows in the source markup. If there are values you don't want the user to have access to, you need to keep them server side, in $_SESSION variables.

 

They don't need firebug to do that...

 

^^^ See the information already stated.

 

There's no point in trying to detect a client side tool like that because you don't need any tool other than a browser and a simple editor to see and get the HTML of the form and produce a form that has any value for any hidden field and submit it to your server.

 

NOTHING is stopping a person from right clicking your page, going to View Source and saving it to their computer and changing it as they see fit and submitting back to your server.

 

Okay I think we can agree that detecting what plug-ins are used isn't going to help..

 

Also the problem is people are changing values and get extra goodies, So how to deal with it,

 

I have created a simple example shop, to help explain the problem and the solution,

 

the below code is a gun shop for a game, now to keep it simple I have used GET instead of post,

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Gun shop</title>
</head>
<body>
<?php
$money = 75;
$items = array(
1 => array("Name" => "small gun", "Price" => 10),
2 => array("Name" => "medium gun", "Price" => 50),
3 => array("Name" => "large gun", "Price" => 100)
);

//Purchase
if(!empty($_GET['do']) && !empty($_GET['id']) && $_GET['do'] == 'purchase'){
    echo "<p>You have purchased the ".$items[$_GET['id']]['Name']."</p>";
}

foreach($items as $id => $item){
  echo $item['Name'];
  if($item['Price'] <= $money){
    echo ' <a href="?do=purchase&id='.$id.'">Buy Now</a>';
  }else{
    echo ' <a href="javascript:alert(\'Need more money\');">need more funds</a>';
  }
  echo "<br />";
}
?>
</body>
</html>

 

Now if you click on the small gun "buy now" it tell you you have purchased it, yay,

same for the medium gun.. but if you want the large.. no joy..

 

BUT if you just change the id to 3 on the URL (or in your case changed a value in a form via whatever method) your see you can buy the large gun..

 

So how do we stop that.. well the display is only to help the user choose, you should never work under the impression that if you don't display something then its secure, as its NOT..

 

So to plug our exploit, we need to check if they have the money after the get/post same as we checked when we displayed it,

 

So now if you change

//Purchase
if(!empty($_GET['do']) && !empty($_GET['id']) && $_GET['do'] == 'purchase'){
    echo "<p>You have purchased the ".$items[$_GET['id']]['Name']."</p>";
}

to

//Purchase
if(!empty($_GET['do']) && !empty($_GET['id']) && $_GET['do'] == 'purchase'){
  if($items[$_GET['id']]['Price'] <= $money){ //Added IF statement
    echo "<p>You have purchased the ".$items[$_GET['id']]['Name']."</p>";
  }
}

your find you can no longer get the large gun,

 

Hope that helps

 

EDIT:

Now just say you your shop will display a random item with the option to buy it, then your need to check that, that item was on offer to that user, so save its ID in a session or a database whatever.. just somewhere the user can't access,

 

Thank you so much for writing such a detailed reply, I apologize for not noticing it while posting the last message. So what you are inferring is that there is no definite way of preventing users from hacking, the only possible approach is to intelligently verify each user submitted data? So assume in my script users can select their own pet ids to breed, but they can use firebug/inspect element to change the id to anything they want(even other people's pets). What I should do is to add another checkpoint to see if the selected adoptable id belongs to this specific user and returns a 'hacking attempt' message if the pet actually belongs to someone else? Is this gonna work?

What I should do is to add another checkpoint to see if the selected adoptable id belongs to this specific user and returns a 'hacking attempt' message if the pet actually belongs to someone else? Is this gonna work?

It all depends how you code it, but your theory is right on the money.

In regards to the error, maybe dont use a "hacking attempt" message because something may occur in the future for a regular user which may present them with this error. A simple "Sorry, but this pet was unable to be adopted" would suffice.

Hall of Famer, do you know how hidden inputs actually work?  It doesn't appear that you do.

 

A hidden input is not rendered to the screen.  However, it is present in a page's markup/HTML.  That means all anyone needs to do to see what's in a hidden input is select the 'View Source' option in their browser.  They will see something like:

 

<input type="hidden" name="secret" value="something important" />

 

In among all of the other form inputs.  What does that mean?  It means that anyone with an inkling of knowledge about HTML, scripting, and databases (which, I assure you, anyone who would want to screw with your site has) will be able to mess with your form data without needing a special browser plugin to do it.  How is it possible?  There's nothing stopping a would-be attacker from creating their own version of your form in HTML and having it post to your form handler.

 

So, in short:

 

1. Hidden inputs are not supposed to be used as a security measure.

 

2. No one needs a plugin in order to hack your site.

 

You're really barking up the wrong tree here.  Plugins have nothing to do with site security.  At all.  End of story.  Like others have said, what you need to do is write input sanitizing and validation code in your script.

Thank you so much for writing such a detailed reply, I apologize for not noticing it while posting the last message. So what you are inferring is that there is no definite way of preventing users from hacking, the only possible approach is to intelligently verify each user submitted data? So assume in my script users can select their own pet ids to breed, but they can use firebug/inspect element to change the id to anything they want(even other people's pets). What I should do is to add another checkpoint to see if the selected adoptable id belongs to this specific user and returns a 'hacking attempt' message if the pet actually belongs to someone else? Is this gonna work?

First rule.. never trust user input..if you user can submit it then its untrusted,

 

What it seams you are doing is creating the html that reflects what the users should be able to purchase,

so far so good

Then they select a pet and the form posts that pets id back to a script to add it to their.. erm basket! (whatever)

Logically that's fine BUT what happens if the user passes a pet id of a pet they can't have ?

well currently they get that pet.. but why i hear you ask!

 

Well lets look at the logic again

"Then they select a pet"

So this is your "protection"

"the form posts that pets id back to a script to add it to their.. erm basket! (whatever)"

Well here is the problem, their is nothing stopping them posting any pet id,

 

So what you need to do is add the same protection to the adding as you did for the displaying..

 

if you look back on the example i posted, this is the display

foreach($items as $id => $item){
  echo $item['Name'];
  if($item['Price'] <= $money){
    echo ' <a href="?do=purchase&id='.$id.'">Buy Now</a>';
  }else{
    echo ' <a href="javascript:alert(\'Need more money\');">need more funds</a>';
  }
  echo "<br />";
}

 

and this was the Purchasing

//Purchase
if(!empty($_GET['do']) && !empty($_GET['id']) && $_GET['do'] == 'purchase'){
  if($items[$_GET['id']]['Price'] <= $money){ //Added IF statement
    echo "<p>You have purchased the ".$items[$_GET['id']]['Name']."</p>";
  }
}

 

Now as per the example, i could enter any value and get the "large gun"

 

To stop this i added the same logic used in the display to the purchasing

So display had this

if($item['Price'] <= $money)

i could of written it like this (same thing)

if($items[$id]['Price'] <= $money)

 

So for purchasing i added this

if($items[$_GET['id']]['Price'] <= $money)

 

so it became

//Purchase
if(!empty($_GET['do']) && !empty($_GET['id']) && $_GET['do'] == 'purchase'){
  if($items[$_GET['id']]['Price'] <= $money){ //Added IF statement
    echo "<p>You have purchased the ".$items[$_GET['id']]['Name']."</p>";
  }
}

 

 

So now the display only has the buy option on items they can buy and once they script is requested to add that item i check they can buy what they have selected to buy..

 

It would be kinda hard to give you exact detail as i am not sure what the conditions are for adopting the pets,

the problem would most likely be in "poundpost.php" but its hard to say!..

 

really need some more info about what should happen and what is happening, then i'll know what code to see (it will be the display then the process request)

 

--Hope that helps,

 

PS i did create an account to see but i need the eggs at level 5 before i can breed them, so i am not sure where the problem currently is..

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.