Solved

Can you determine where a request originates from in PHP script?

Posted on 2011-09-05
11
242 Views
Last Modified: 2012-08-13
I have a script that serves back a graphic.  It includes a database request, but if I can be confident that the request for that graphic originated from my own server, I could skip the DB call and save myself a lot of DB chatter.  Instead, I'd just serve back the graphic.

If I check the referrer and it includes my domain name, is that good?
0
Comment
Question by:trippy1976
  • 3
  • 2
  • 2
  • +3
11 Comments
 
LVL 17

Accepted Solution

by:
nanharbison earned 500 total points
ID: 36485536
Yes, it is usually:
$_SERVER['HTTP_REFERER']

Open in new window

0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 36485560
It's good as long as there is no money involved in doing that.  If there were enough money involved to interest a thief, then you would have to be concerned about the referrer being spoofed.  Otherwise, usually no problem.
0
 
LVL 17

Expert Comment

by:nanharbison
ID: 36485579
Good point Dave!
0
 
LVL 27

Expert Comment

by:yodercm
ID: 36485630
It takes a lot of effort to fake one of the $_ variables, so you're pretty safe except against some really serious hacking.
0
 
LVL 17

Expert Comment

by:nanharbison
ID: 36485667
You can get a lot of information from the server variables, which you can see here:
http://php.net/manual/en/reserved.variables.php
If you google server variables, you can find tons of tutorials about them, here is one:
http://www.developerfusion.com/article/3703/an-introduction-to-php/5/
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 5

Expert Comment

by:wmadrid1
ID: 36485770
This var $_SERVER['HTTP_REFERER']
can be modified chaingin the headers with CURL.

You cann add a bit of security, adding to the request, some encrypted variable joined with a salt.
For example, if the image has a ID, you can define a secret word "secret", and do a md5 as this
$enc = md5("secret".$id);

and validating this string
0
 
LVL 4

Author Comment

by:trippy1976
ID: 36488335
I was looking at the $_SERVER['HTTP_REFERER'] thing, but as it mentioned - this seems like it can be fudged pretty easily.  Seems like security by obscurity to me.

Is there anything that is harder to fake, like maybe IP address of the request?  

The script is being called by mod_rewrite, can I do anything at that level?

What I mean is that if you request this from my server:
http://www.mysite.com/images/3000/image.jpg

What will actually happen is you get an image that is served by:

http://www.mysite.com/scripts/getimg.php?id=3000

This is done by mod_rewrite on the server.  But the user doesn't know, they are still using the direct JPG links.

I'm not sure how many thousands of these graphics I serve a day, but I think it's many tens of thousands at the least.  So now with the script in place, it's doing a DB check for every image requested to ensure the user has set that image to publicly accessible.

I'm concerned about the load this is going to place on the database.  So I want to do a (presumably faster) check that determines whether the request is for a graphic embedded in my site or if it's being used at a third party site (which is common for us).

Does $_SERVER['HTTP_REFERER'] seem to work in this use case?
0
 
LVL 27

Expert Comment

by:yodercm
ID: 36488697
$_SERVER['HTTP_REFERER'] will work, but like anything else, can be faked.

How secure does this need to be?  It takes some knowledge and effort to fake these things, so are these images anything that someone knowledgable enough would be willing to put in the effort to see?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 36490034
Unless you are charging large amounts of money for each image, I would just 'do it' and not worry about.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 36490103
The referrer is one good check.  What I might do in addition is put a value into the $_SESSION array and set a corresponding cookie whenever any script in your site is accessed.  You can then test the cookie against the session and have some confidence that they match.  You can reduce the risk of cookie tampering with something like the design shown in this code snippet.  HTH, ~Ray
<?php // RAY_cookie_safety.php
error_reporting(E_ALL);


// DEMONSTRATE HOW TO ENCODE INFORMATION IN A COOKIE
// TO REDUCE THE RISK OF COOKIE TAMPERING


// A DATA DELIMITER
$dlm = '|';

// YOUR OWN SECRET CODE
$secret_code = 'MY SECRET';

// A DATA STRING THAT WE WANT TO STORE (MIGHT BE A DB KEY)
$cookie_value = 'MARY HAD A LITTLE LAMB';

// ENCODE THE DATA STRING TOGETHER WITH OUR SECRET
$cookie_code = md5($cookie_value . $secret_code);

// CONSTRUCT THE COOKIE STRING WITH THE CLEAR TEXT AND THE CODED STRING
$safe_cookie_value = $cookie_value . $dlm . $cookie_code;

// SET THE COOKIE LIKE "MARY HAD A LITTLE LAMB|cf783c37f18d007d23483b11759ec181"
setcookie('safe_cookie', $safe_cookie_value);



// WHEN STORED, THE COOKIE WILL BE URL-ENCODED SO IT WILL LOOK SOMETHING LIKE THIS ON THE BROWSER
// MARY+HAD+A+LITTLE+LAMB%7Ccf783c37f18d007d23483b11759ec181
// IT WILL BE URL-DECODED BEFORE IT IS PRESENTED TO PHP



// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}
else
{
    die('COOKIE IS SET - REFRESH THE BROWSER WINDOW NOW');
}




// MUNG THE COOKIE TO DEMONSTRATE WHAT HAPPENS WITH A CORRUPT COOKIE
$_COOKIE["safe_cookie"] = str_replace('MARY', 'FRED', $_COOKIE["safe_cookie"]);

// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo"<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}

Open in new window

0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 36525803
Let me know when you put that script online.  If all you're doing is checking the HTTP_REFERER I would love to come by and see what that graphic looks like.

The point here is that you will only impede or frustrate people who do not know how to use CURL.  The ones who know how to use CURL may be the ones who will steal your graphics.  If you want to post a new question here at EE about how to attack a script that checks HTTP_REFERER I will be glad to show you how ridiculously easy it is to initiate the attack.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
The viewer will learn how to count occurrences of each item in an array.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now