Preventing saved web pages submitting data

One solution to this, used by the banks for ecommerce is to create a hash
value of the hidden fields, using a secret key.

On the server, you run the hidden fields through the hash function, and put
the value returned in the hidden fields as well.

When the page is submitted to the server, the hidden fields are again run
through the hash function, and the value is compared to the hash value in
the hidden field on the form.

If the two hash values differ, then you know the fields have been tampered
with, and can reject the data.

This is used often on ecommerce sites, as the order total, or product price
is usually included as a hidden field. Without the hash check, people could
order from the website, but save the checkout page, alter the order value,
and then submit the page themselves. If the merchant isn't vigilant and
doesn't check every order, you can buy the goods for a fraction of the
value. I have actually seen this been done in real life (although not on
sites I`ve created :-) ).

--
Gareth
http://www.phploginsuite.co.uk/
PHP Login Suite V2 - 34 Server Behaviors to build a complete Login system.

New Guy wrote:
> they shouldn't be able to download your whole page- just the html part.
> Hence- No functionality.

Not true. All that the attacker needs to do is to change the value of
the action attribute to the URL, and the form data will be accepted.

Using a hidden field that would permit anyone to change the SQL query
from from INSERT to DELETE is simply asking for trouble. Permission to
delete should be restricted to registered users on a password-protected
part of the site.

--
David Powers, Adobe Community Expert
Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/

they shouldn't be able to download your whole page- just the html part.
Hence- No functionality.

-= Brad =- wrote:
> Hi,
>
> whilst someone was messing around with a simple site I built (literally just a
> guestbook thing using all the DW behaviours) they found something I hadn't
> really thought about.
>
> They could save the web page with the form on, to their desktop. They could
> then use this saved form to submit data to the webserver.
>
> This got me thinking. If I was to use hidden form elements to control the
> behaviour of the submitted data (for example, <input name="dataaction"
> value="add">), in theory someone could save the page, change the value to
> 'delete' and I don't really need to say any more!
>
> So my question is this - what's the best way to make sure only pages served by
> the webserver can do anything (to disable pages being able to be saved and
> edited)? I guess this can also apply to URL tampering...
>
> HTTP_REFERRER seems to be a little unreliable!
>
> I'd rather know how to do this using DW behaviours or something, but if not
> then any solution will do.
>
> I'm interested in solutions for ASP and PHP.
>
> Thanks in advance.
>