POST from another server

[eluser]hendrik[/eluser]
I was under the impression that CI didn't allow the posting of data from forms that are located on other servers. But I just did it.

I use the CI 1.7.2 and the Form Validation class. Use xss_clean on all POST variables looking like this:

Code:

$this->form_validation->set_rules('email','Email','trim|valid_email|required|xss_clean');

Anybody got some ideas as how to stop people from creating forms and posting to a CI server?

[eluser]rogierb[/eluser]
Take a look at the CSRF plugin @ http://ellislab.com/forums/viewthread/92399/

[eluser]hendrik[/eluser]
Thanks for the link. Checked it out. Maybe I don't understand it correctly but I don't think it's applicable in our situation. Let me explain: we post all our data from a Flash app. So, we don't use any forms in html. We don't need a Flash crossdomain policy.

Does the CSRF plugin prevent users from creating a html form, sticking it on another server (or localhost) and posting data to our server? If it does, then how?

We don't use sessions or cookies in our app. Do we need to?

[eluser]imaffett[/eluser]
You are going to have to write something yourself emulating an authenticated session. An easy way is to create a token that gets passed back and forth per request, but it might be easier to do per visit. Below is an example.

1) The server and flash app have a key that will be used by both for validating a hash (random string that is the same used all the time)

2) Users log in or authenticate against the server (or the flash app makes an initial request to the server). The server generates a random string and send the string, along with a hash (like sha1($key.$string)) back to the flash app. The flash app will then submit those two with every request. The server will then verify that each request is valid by recreating the hash with the string passed back and the key stored on the server. If that equals the hash the flash app submitted, then it's valid

3) Additionally, the flash app can verify the request is coming from the server by re-creating the hash and validating like the server does.

Ideally, you would regenerate this on every request. You can also look into some encrpt/decrypt libraries to take it one step further. Users can setup a proxy and capture all the data the flash app is sending, so just trying to minimize it is essential.

[eluser]BrianDHall[/eluser]
I get the feeling we may be mis-understanding what you are after, I'm not sure.

Why exactly is this a concern? Do you want to prevent people from sticking your app on their site? Do you want to ensure that your flash app, and only your flash app, is posting to your server? Are you hoping to patch some security hole doing this, or is there something of a leaching issue?

If I am getting the right idea of what you are after, you are likely best served by tokens. With tokens you generate a one-use token on the server which is handed to your flash app, and your flash app includes it with its POST request. If the POST does not include the token, or if it has already been used, then the request is denied.

People can beat this so don't assume anything is bulletproof (flash is a client, and the client cannot be trusted, ever - putting it inside flash is just really a layer of obfuscation), but it becomes increasingly hard to do so. You can make it harder by using a simple form of two-way encryption or SSL so that the token sent back and forth is coded - so they can't just forge a request to your server for a token and have it be usable. All they will have is a useless string of text, because the token will be invalid until decoded.

A person can always hack your flash app to expose its decoding method, but this is orders of difficulty harder than generating an off-site POST.

[eluser]Colin Williams[/eluser]
You just need to store a hash on every form, then validate that hash when the form is submitted. That's the basic idea of CSRF. Don't know where Flash came into the discussion.

[eluser]hendrik[/eluser]
Thanks @BrianDHall, I think I understand it now and will use a hash.

#Colin, Flash is the original app posting to the server. That's where it came into discussion.