PHP Security - HTTP Request Spoofing

HTTP request spoofing

A more advanced and sophisticated attack than form spoofing is HTTP request spoofing. This gives the attacker complete control and flexibility, and it further proves that any data submitted by the user cannot be blindly trusted.

To demonstrate how this works, take a look at the following form located at http://www.php.cn/:

CODE:

 <form action="process.php"
method="POST">
  <p>Please select a color:
  <select name="color">
    <option value="red">Red</option>
    <option
value="green">Green</option>
    <option
value="blue">Blue</option>
  </select><br />
  <input type="submit" value="Select"
/></p>
  </form>

If the user selects Red and clicks the Select button, the browser will issue the following HTTP request:

CODE:

 POST /process.php HTTP/1.1
  Host: example.org
  User-Agent: Mozilla/5.0 (X11; U; Linux i686)
  Referer: http://www.php.cn/
  Content-Type:
application/x-www-form-urlencoded
  Content-Length: 9
 
  color=red

.

Seeing as most browsers include an origin URL value, you might be tempted to use the $_SERVER['HTTP_REFERER'] variable to prevent spoofing. Sure, this can be used against attacks using standard browsers, but attackers won't be deterred by this little annoyance. By editing the raw information of an HTTP request, an attacker can completely control the values ​​of HTTP headers, GET and POST data, and all content in the HTTP request.

How does an attacker alter the original HTTP request? The process is very simple. Through the Telnet utility provided on most system platforms, you can communicate directly with the web server by connecting to the web server's listening port (typically port 80). The following is an example of using this technique to request the http://www.php.cn/ page:

CODE:

$ telnet example.org 80
  Trying 192.0.34.166...
  Connected to example.org (192.0.34.166).
  Escape character is '^]'.
  GET / HTTP/1.1
  Host: example.org
 
  HTTP/1.1 200 OK
  Date: Sat, 21 May 2005 12:34:56 GMT
  Server: Apache/1.3.31 (Unix)
  Accept-Ranges: bytes
  Content-Length: 410
  Connection: close
  Content-Type: text/html
 
  <html>
  <head>
  <title>Example Web Page</title>
  </head>
  <body>
  <p>You have reached this web page by typing
&quot;example.com&quot;,
  &quot;example.net&quot;, or
&quot;example.org&quot; into your web browser.</p>
  <p>These domain names are reserved for use
in documentation and are not
  available for registration. See
  <a
href="http://www.rfc-editor.org/rfc/rfc2606.txt">RFC 2606</a>,
Section
  3.</p>
  </body>
  </html>
 
  Connection closed by foreign host.
  $

The request shown in the above example is the simplest request that complies with the HTTP/1.1 specification. This is because the Host information is the header Required in the external information. Once you enter two consecutive newlines indicating the end of the request, the entire HTML response is displayed on the screen.

The Telnet utility is not the only way to communicate directly with a web server, but it is often the most convenient. But if you encode the same request in PHP, you can automate it. The previous request can be implemented with the following PHP code:

CODE:

##

<?php
 
  $http_response = &#39;&#39;;
 
  $fp = fsockopen(&#39;example.org&#39;, 80);
  fputs($fp, "GET / HTTP/1.1\r\n");
  fputs($fp, "Host: example.org\r\n\r\n");
 
  while (!feof($fp))
  {
    $http_response .= fgets($fp, 128);
  }
 
  fclose($fp);
 
  echo nl2br(htmlentities($http_response,
ENT_QUOTES, &#39;UTF-8&#39;));
 
  ?>

Of course, there are many ways to achieve the above purpose, but the main point is that HTTP is a well-known standard protocol, and attackers with a little experience will be very familiar with it. , and are also familiar with common security vulnerability attack methods.

Compared with spoofing forms, there are not many ways to spoof HTTP requests, so you should not pay attention to it. The reason I describe these techniques is to better demonstrate how easy it is for an attacker to enter malicious information into your application. This again emphasizes the importance of filtering input and the fact that any information provided by an HTTP request cannot be trusted.

The above is the content of PHP security-HTTP request spoofing. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!