views:

186

answers:

6

I have a site that is using frames. Is it still possible from the browser for someone to craft post data for one of the frames using the address bar? 2 of the frames are static and the other frame has php pages that communicate using post. And it doesn't appear to be possible but I wanted to be sure.

A: 

Maybe not from the browser, but they can still catch the request (tinker with it) and forward it to the provided destination, with a tool like burp proxy.

Mr-sk
+1  A: 

POST data can not be added in the address bar.

You should always check & sanitize all data you get in your PHP code, because anyone could post data to all of your pages.

Don't trust data from outside of your page. Clean it & check it.

Jimmy Shelter
A: 

To answer your question: No, it is not possible to send post data using the addressbar.

BUT it is possible to send post data to any url in a snap. For example using cURL, or a Firefox extension. So be sure to verify and sanitize all the data you receive no matter if POST or GET or UPDATE or whatever.

This is not iFrame or php specific, so it should be considered in every webapplication. Never ever rely on data send by anyone being correct, valid or secure - especially when send by users.

Nils Riedemann
+3  A: 

Any data in the $_REQUEST array should be considered equally armed and dangerous regardless of the source and/or environment. This includes $_GET, $_POST, and $_COOKIE.

Mike B
+3  A: 

No, it is not possible to POST data from the address bar. You can only initiate GET requests from there by adding params to the URL. The POST Body cannot be attached this way.

Regardless of this, it is very much possible to send POST requests to your webserver for the pages in a frame. HTTP is just the protocol with which your browser and webserver talk to each other. HTTP knows nothing about frames or HTML. The page in the frame has a URI, just like any other page. When you click a link, your browser asks the server if it has something for that URI. The server will check if it has something for that URI and respond accordingly. It does not know what it will return though.

With tools like TamperData for Firefox or Fiddler for IE anyone can tinker with HTTP Requests send to your server easily.

Gordon
i like your answer best but it doesn't quite answer it completely. The pages are for an intranet so i'm not so much worried about users having tools beyond the address bar. What I wanted to avoid was a situation where they could do something in the address bar like view_form?id=5 and bring up that page without going through the form that gets to the view_form.php page
controlfreak123
It sounds like you are unconvinced that you need to validate your inputs. Just realize that at some point, someone is going to get an idea to mess around with your form, and you are going to look very bad.
notJim
no the inputs are validated in the php application. What i don't want is joe blow user to type get data into the addressbar of the url and try to sneak at something they shouldn't. With frames you can't see what page the frame has in it from the addressbar
controlfreak123
@controlfreak123: right click a frame and pick "Show Page Information" or whatever that is called in an english browser and it will tell you the URL. There is absolutely no way to prevent Users from finding out your URLs. If they can display the page in their browser, they can find the page's URL. And if they can find the URL, the can tinker with the Request.
Gordon
@controlfreak123: if you are concerned about users looking at pages they should not have access to, implement an Access Control List (ACL) into your application or protect those pages with BasicAccess authentication.
Gordon
the problem is not that they shouldn't have access to them. But i want the access to be only from the main page of the site using the frames so that they cannot manually type get data into the addressbar and snoop around. I asked another question http://stackoverflow.com/questions/2016173/restrict-access-to-page-to-only-be-allowed-from-a-certain-page that addresses it a little better i think
controlfreak123
I think most of the people addressing this issue are missing the point of my question. The users are going to already be authenticated and its on a non-internet accessible network so I'm not worried about outsiders tampering. I just want to make it so that users can't snoop using what they have. Which is just the addressbar
controlfreak123
A: 

Yes, they absolutely can, with tools like Firebug, and apparently more specialized tools like the ones listed by Gordon. Additionally, even if they couldn't do it in the browser from your site, they could always create their own form, or submit the post data through scripting or commandline tools.

You absolutely cannot rely on the client for security.

notJim
as i commented on the answer below. The users are on an intranet using IE without any of the tools you guys are referring to. Hence limiting the question to THE ADDRESS BAR ONLY
controlfreak123
It is entirely trivial to build a simple html form that submits to your site whatever the user wants. All they need is a text editor.
notJim
How would they get apache to serve their form if they can't upload it to the server?
controlfreak123
Apache doesn't need to serve the form, it only responds to it. They can just do `<form action="http://controlfreak123.bla/response.php"><input type="hidden" value="malice" name="controlfreaks_element_name" /></form>`, and then submit the form. They can just save it on their desktop and open it using their web browser. You're probably using sessions, but that's easy to get around too with scripting tools. (E.g., by sending a cookie header with their session ID in it after getting a valid session id)
notJim