Jump to content

Help Blocking GET Input

Zulumander

By Zulumander
in PHP Coding Help

 Share

Recommended Posts

Zulumander Newbie

Zulumander

Posted
Posted

Hi.

 

I recently developed a .NET Program (including GUI) which would send data to a website/dir/script.php by using the GET Method. However people are able to scan the program to find the path of the Script, and add in their own $_GET Data like Username=user&pass=pass, etc.

 

I want to block how they manage to input their own data, and just allow it through the program. I know this may sound stupid, and probably is very delicate thing to do, but I really do need it.

 

The reason it should require the program, is because it uses the Machine's HWID to make sure they only do the Form 1 time a day (Data inserted to MySQL DB)

 

Currently they are for example changing their HWID everytime they do a new request.

 

 

So my question is, is there any way to block user-input of GET variables ?

Link to comment
https://forums.phpfreaks.com/topic/279213-help-blocking-get-input/
Share on other sites
Christian F. Member

Christian F.

Posted
Posted

You cannot make it 100% safe, but you can make it a bit more troublesome. The easiest way to do so, is to implement SSH and asymmetric encryption to your application.

 

Note that even if you encrypt all of the communication, you have still given the user the key to said encryption. That means that they can still find this key, and send whatever input they like to the PHP page. Which means that you have to secure the PHP application properly in any way, to ensure that people are not able to attack your site easily.

 

That said: There are no quick fix for anything when it comes to security, and it is an ongoing process during the entire planning, programming and maintenance stages. What steps you need to take depends upon all other choices you've done, and what capabilities you want to have in your code.

Zulumander Newbie

Zulumander

Posted
  • Author
Posted

Thanks a lot for helping!

 

Well, I did a sneaky thing by reversing the Username & Password $_GET values to be rendered useless, by using Session instead. Because the program requires authentication before sending the parameters, so now it'll base it on those paramters instead. So now they cannot do that to the Script that actually is worth protecting

 

However, if they find the link to the Authentication Script, they may just as well be able to do the very same thing again. I'm stumbled.

trq Prolific Member

trq

Posted
Posted

A few ways you can do this sort of thing, but one simple way is to create a unique key using a salt that only you know about.

 

In your program, get all the details you are going to send into one string, eg;

 

$s = "username=foo&data=bar";
Hash this string along with your salt and append it to the actual string.

 

$s = "username=foo&data=bar";
$hash = sha1('somesalt' . $s);
$s = "username=foo&data=bar&key=" . $hash;
Now, on the receiving end make sure that the data within $_GET['key'] equals the entire original string.

 

You can even add a timestamp to this sort of thing so that a request only has a short lifespan before it needs to be regenerated again.

 

This is how we do all our app to app api calls at work, simple, yet effective.

Zulumander Newbie

Zulumander

Posted
  • Author
Posted

Dumb question: Do you need to send the data via GET? Something like what you describe just screams POST to me.

 

You will find it very difficult to make a .NET Program (Using Browser to send Data) to send a Machine's HWID in a POST Form since that is actually done through a Browser and I can't think of a way to send that data to the webscript without using GET.

 

And thank you, trq, for the input, I will give it a go.

Zulumander Newbie

Zulumander

Posted
  • Author
Posted (edited)

A few ways you can do this sort of thing, but one simple way is to create a unique key using a salt that only you know about.

 

In your program, get all the details you are going to send into one string, eg;

 





$s = "username=foo&data=bar";
Hash this string along with your salt and append it to the actual string.

 





$s = "username=foo&data=bar";
$hash = sha1('somesalt' . $s);
$s = "username=foo&data=bar&key=" . $hash;
Now, on the receiving end make sure that the data within $_GET['key'] equals the entire original string.

 

You can even add a timestamp to this sort of thing so that a request only has a short lifespan before it needs to be regenerated again.

 

This is how we do all our app to app api calls at work, simple, yet effective.

 

 

I understand the concept of this, but if they re-scan the new program and see the Hash being let's say "somesalt"

 

Then wouldn't they be able to just get a Free-web host, and get the parameters like this:

 

echo sha1('somesaltusername=myuser&password=mypass');

 

And eventually do it as

 

 

 

Technically?

Edited by Zulumander
kicken Prolific Member

kicken

Posted
Posted

I understand the concept of this, but if they re-scan the new program and see the Hash being let's say "somesalt"

The main idea is that your average user/script-kiddy isn't going to either be able to, or take the time to try and extract the key/salt from your software.

 

Someone who does decide to try and extract the key/salt from the program could continue to generate their own requests.

trq Prolific Member

trq

Posted
Posted

You will find it very difficult to make a .NET Program (Using Browser to send Data) to send a Machine's HWID in a POST Form since that is actually done through a Browser and I can't think of a way to send that data to the webscript without using GET.

.Net is quite capable of sending POST requests.

 

I understand the concept of this, but if they re-scan the new program and see the Hash being let's say "somesalt"

When you said "scan", I thought you meant they where watching the requests it was making, not scanning through the actual code. It's .Net, can't you compile it?

KevinM1 Advanced Member

KevinM1

Posted
Posted

You will find it very difficult to make a .NET Program (Using Browser to send Data) to send a Machine's HWID in a POST Form since that is actually done through a Browser and I can't think of a way to send that data to the webscript without using GET.

Like trq said, and in doing web-based .NET work myself, .NET is definitely capable of sending a POST request. Indeed, that's how both ASP.NET and ASP.NET MVC work. There's absolutely no reason why you can't use the System.Net.Http namespace and send a HttpRequestMessage to your other script.

 

Really, you should probably be using ASP.NET MVC from the start if it's supposed to be web-based.

Zulumander Newbie

Zulumander

Posted
  • Author
Posted

The main idea is that your average user/script-kiddy isn't going to either be able to, or take the time to try and extract the key/salt from your software.

 

Someone who does decide to try and extract the key/salt from the program could continue to generate their own requests.

 

 

I understand the idea, and of course they may have a difficult time figuring out the key's encryption, I'm just saying it would still be possible if they're capable enough, and I understand that's an inevitable factor which nobody can deny. But I also see where you're coming from, stating average user/script-kiddy, seeing as the people I'm talking about aren't exactly 'big-crackers' so to speak, so I totally agree with you.

 

 

.Net is quite capable of sending POST requests.

 

 

When you said "scan", I thought you meant they where watching the requests it was making, not scanning through the actual code. It's .Net, can't you compile it?

I never bothered with POST Requests through .NET mainly because I had no clue it actually worked. I was told so by my teacher back in College. I guess he wasn't much of a teacher, then..

 

I'm sorry for not being literal on the 'scan' part, I meant that they decompiled the Program itself, and just read bits and pieces of fragments of the code that remained, and eventually put together the required pieces for the 'recipe' (Link + Paramters).

 

I have currently solved the solution by over-extending your suggestion of using a Key. This is what I did:

 

Note that when I said Webbrowser, I was also not specific. What I meant was it's a hidden Browser which the user can't see nor navigate through, so all Requests to the pages, are hidden.

 

1. Created a very long Hash Key (no encryption yet)

2. Added the Additional User Crendetials (Everything combined) to the Hash (Hash &= Extras)

3. I then encrypted the Key, X amount of times, and used it to send as a parameter to the webscript.

4. Additionally, I exaggerated the security check by encrypting the Username & Passwor X amount of Times, that are also sent to the Script.

5. The receiving end - The Script - then checks if the Key matches the Script's Generated Version of the Key, and also checks if the Session's Username & Password matches the Hashed Username & Password sent from the program, to the script.

6. I compiled the Program

7. I obfuscated as much as I possibly could, making it more difficult to read & crack.

8. Shared it with my large playerbase.

 

This seems to have worked out thus far, and I'm hoping it will stay that way. I thank you for your help, it's appreicated.

 

I'd also like to ask how You'd send POST Requests from .NET, like Let's say I grab the User's HWID, and there's a type="hidden" field of the POST Form, how would I make the Script determine that the hidden field for HWID, should contain the details of .NET's variable that grabs the HWID?

KevinM1 Advanced Member

KevinM1

Posted
Posted (edited)

How are you sending the GET request?

 

Functionally, GET and POST are very similar - they're just key-value pairs.  If you can grab the HWID and stuff it in a pair for a GET request, you can definitely do the same for POST.  In terms of actually sending the requests, that's a bit out of bounds on a PHP forum, but like I wrote earlier, look at the System.Net.Http namespace and the HttpRequestMessage class (MSDN is your friend: http://msdn.microsoft.com/en-us/library/system.net.http.httprequestmessage.aspx -- if that doesn't match your version of .NET, search for what will match your version).

 

You likely don't need your hidden browser, either, as a browser is not required to send HTTP requests.  Look at cURL as an example.  You can just have whatever UI you're using tell your underlying process to send a HTTP request to the other script, then display the results.  Even better, you can do it in a RESTful way, meaning only using GET to retrieve information, and using POST to create/update/send data (like a user login).

 

EDIT: And yeah, your college teacher sounds like he didn't know what he was doing.  .NET has never not been able to send POST requests.  Web forms/ASP wouldn't work without it.

Edited by KevinM1
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.