Form Problem.

[pkunal <pk...@yahoo.com>]

All,

The situation is this.

On my web page "products.asp" I am displaying all the products from 
my database and allow the user to select the quantity he wants to 
buy.

So to make it short:
"$itemCode" comes after a query to the database for each item in 
database. The form looks like this:

<form action="/asp/verify.asp">
<select name="Qty_<%=$itemCode%>">
<option selected>0</option>
<option>1</option>
<option>2</option>
<option>3</option>
</select>
<input type="submit" name="SUBMIT">
</form>

So the quantity is passed to "verify.asp" through the querystring 
and looks like this:
http://....../verify.asp?Qty_1=1&Qty_2=3....

The query string gets long depending on the number of products I 
have. Then I again retrieve the "itemcode" and its 
selected "quantity" on the "verify.asp" page using "$Request-
>QueryString()" object.

I am not happy with this solution. As it makes the website 
vulnerable as a user can input anything in the 
querystring "http://....../verify.asp?Qty_1=1&Qty_2=3....".

Please suggest a good way to do this.

Thanks,
Kunal Parekh.


---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org

Re: Form Problem.

[Tim Pushor <ti...@crossthread.com>]

Hi,

So what is the problem? What are you worried about?

What does the badguy have to gain by formulating his own query string?

pkunal wrote:

>All,
>
>The situation is this.
>
>On my web page "products.asp" I am displaying all the products from 
>my database and allow the user to select the quantity he wants to 
>buy.
>
>So to make it short:
>"$itemCode" comes after a query to the database for each item in 
>database. The form looks like this:
>
><form action="/asp/verify.asp">
><select name="Qty_<%=$itemCode%>">
><option selected>0</option>
><option>1</option>
><option>2</option>
><option>3</option>
></select>
><input type="submit" name="SUBMIT">
></form>
>
>So the quantity is passed to "verify.asp" through the querystring 
>and looks like this:
>http://....../verify.asp?Qty_1=1&Qty_2=3....
>
>The query string gets long depending on the number of products I 
>have. Then I again retrieve the "itemcode" and its 
>selected "quantity" on the "verify.asp" page using "$Request-
>  
>
>>QueryString()" object.
>>    
>>
>
>I am not happy with this solution. As it makes the website 
>vulnerable as a user can input anything in the 
>querystring "http://....../verify.asp?Qty_1=1&Qty_2=3....".
>
>Please suggest a good way to do this.
>
>Thanks,
>Kunal Parekh.
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
>For additional commands, e-mail: asp-help@perl.apache.org
>
>  
>



---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org

Re: Form Problem.

[Thanos Chatziathanassiou <tc...@arx.net>]

Well, the previous post pretty much posed an interesting question.. 
Since you're going to verify everything yet again, as the user is moving 
to purchase, what's the problem with a bad guy playing around with the 
form a bit ?
Anyways, here we go...

KUNAL PAREKH wrote:

>If I make a session variable like this:
>$Session->{SomethingRandom} =
>"Qty_$itemCode=2&Qty_$itemCode=3......"
>
>That could work. However can this session variable be
>made on the same page as "products.asp" as soon as the
>form "Submit" button is clicked? If yes please let me
>know how.
>
Actually, I was thinking more in the sense of:
--snip products.asp--
<%
    $Session->{'random'} =  time();
%>
<form action="verify.asp"......
--snip products.asp--

--snip verify.asp--
<%
    if ($Session->{'random'} < (time()-7200) ) { # $Session->{'random'} 
has not been set in the last 2 hours....
       die "Bad boy!!!\n";
    }
....
%>
--snip verify.asp--

>>b) check the HTTP_REFERER and reject if it's not the
>>one You're 
>>expecting (the page the form is in)
>>    
>>
>I will have to read more about this. I am not familiar
>with this method.
>
Something like :
--snip verify.asp--
<%
    if ($Request->ServerVariables('HTTP_REFERER') !~ /products\.asp/) { 
# HTTP_REFERER SHOULD point to the page where the user was selecting 
products
       die "Bad boy!!!\n";
    }
....
%>
--snip verify.asp--

>>c) using POST instead of GET, so as not to worry
>>about the amount of 
>>user input (and making it a little more complicated
>>to ``fabricate'' a 
>>request by hand).
>>    
>>
>
>The problem with POST and GET method is I will have to
>name each form variable. This is not possible in my
>case as I am naming the variables as "Qty_$itemCode"
>where $itemCode comes from the "products" database and
>I expect it to change very often. I think I understood
>right what you were saying however if I missed the
>point let me know.
>
I didn't realize the You're parsing the QueryString by hand..
You can, of course do the same with POST, just look for $Request->Form 
(reference to a hash - see Apache::ASP site for details)  and iterate 
over the keys.
Or even (OK, I know I'm pushing things a bit, but), if you don't feel 
comfortable wit that...
how about creating a hidden form element, where you just name the fields 
you should be collecting, something like
<input type="hidden" name="index" value="Qty_$itemCode">

>>d) obfuscating the form input, so as not to make it
>>so obvious.
>>    
>>
>No. There is no limitation of obfuscation. There is
>always a possiblity of someone outsmarting you.
>
Fair enough...

Regards,
Thanos Chatziathanassiou




---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org

Re: Form Problem.

[KUNAL PAREKH <pk...@yahoo.com>]

Thanos,

Thank you for your reply. 

My response to the suggestions you provided is as
follows:

> You can try (by personal order of preference):
> a) setting something completely random in the
> $Session object in the 
> form's page and checking for its existence in the
> verify.asp. If it 
> isn't there, reject the data.

If I make a session variable like this:
$Session->{SomethingRandom} =
"Qty_$itemCode=2&Qty_$itemCode=3......"

That could work. However can this session variable be
made on the same page as "products.asp" as soon as the
form "Submit" button is clicked? If yes please let me
know how.

> b) check the HTTP_REFERER and reject if it's not the
> one You're 
> expecting (the page the form is in)

I will have to read more about this. I am not familiar
with this method.

> c) using POST instead of GET, so as not to worry
> about the amount of 
> user input (and making it a little more complicated
> to ``fabricate'' a 
> request by hand).

The problem with POST and GET method is I will have to
name each form variable. This is not possible in my
case as I am naming the variables as "Qty_$itemCode"
where $itemCode comes from the "products" database and
I expect it to change very often. I think I understood
right what you were saying however if I missed the
point let me know.


> d) obfuscating the form input, so as not to make it
> so obvious.

No. There is no limitation of obfuscation. There is
always a possiblity of someone outsmarting you.

> e) accepting form input only from trusted sources
> (ie registered and/or 
> authenticated users).

Well on most ASP sites I visit (and even like to
visit) you can always see their products page first
even without registering at the site. Sometimes start
shopping and register when you are "Checking Out". I
would like to keep it the same. Later on every page
can be visited only by registered users.

> f) IP address restriction (kinda like defeats the
> purpose of the web, 
> don't it ?)

I think too its not a practical solution.
> g) any combination of the above.


So please expand on your suggestion "a".

Please try to answer the question I have related to
suggestion a.

Thanks,
Kunal Parekh.

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org

Re: Form Problem.

[Thanos Chatziathanassiou <tc...@arx.net>]

You can try (by personal order of preference):
a) setting something completely random in the $Session object in the 
form's page and checking for its existence in the verify.asp. If it 
isn't there, reject the data.
b) check the HTTP_REFERER and reject if it's not the one You're 
expecting (the page the form is in)
c) using POST instead of GET, so as not to worry about the amount of 
user input (and making it a little more complicated to ``fabricate'' a 
request by hand).
d) obfuscating the form input, so as not to make it so obvious.
e) accepting form input only from trusted sources (ie registered and/or 
authenticated users).
f) IP address restriction (kinda like defeats the purpose of the web, 
don't it ?)
g) any combination of the above.

A sufficiently motivated ``bad guy'' will most definately find ways to 
overcome all the above methods, especially if it's worth the trouble. YMMV.
That's all I can think of right now. I'm sure others will contribute 
their favourite methods too. Maybe we can compile an exhaustive list of 
those (should we?).

Regards,
Thanos Chatziathanassiou


pkunal wrote:

>All,
>
>The situation is this.
>
>On my web page "products.asp" I am displaying all the products from 
>my database and allow the user to select the quantity he wants to 
>buy.
>
>So to make it short:
>"$itemCode" comes after a query to the database for each item in 
>database. The form looks like this:
>
><form action="/asp/verify.asp">
><select name="Qty_<%=$itemCode%>">
><option selected>0</option>
><option>1</option>
><option>2</option>
><option>3</option>
></select>
><input type="submit" name="SUBMIT">
></form>
>
>So the quantity is passed to "verify.asp" through the querystring 
>and looks like this:
>http://....../verify.asp?Qty_1=1&Qty_2=3....
>
>The query string gets long depending on the number of products I 
>have. Then I again retrieve the "itemcode" and its 
>selected "quantity" on the "verify.asp" page using "$Request-
>  
>
>>QueryString()" object.
>>    
>>
>
>I am not happy with this solution. As it makes the website 
>vulnerable as a user can input anything in the 
>querystring "http://....../verify.asp?Qty_1=1&Qty_2=3....".
>
>Please suggest a good way to do this.
>
>Thanks,
>Kunal Parekh.
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
>For additional commands, e-mail: asp-help@perl.apache.org
>  
>



---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org