Spoofed Form Submissions

表单提交欺骗

In order to appreciate the necessity of data filtering, consider the following form located (hypothetically speaking) at http://example.org/form.html:

为了说明数据过滤得必要性,请看下面的这个位于(假设)http://example.org/form.html 的表单:

1
2
3
4
5
6
7
<form action="/process.php" method="post">
<select name="color">
  <option value="red">red</option>
  <option value="green">green</option>
  <option value="blue">blue</option>
</select>
<input type="submit" />

Imagine a potential attacker who saves this HTML and modifies it as follows:

设想有一个潜在的黑客,他保存了这段 HTML 代码并且修改成这个样子:

1
2
3
4
<form action="http://example.org/process.php" method="post">
<input type="text" name="color" />
<input type="submit" />
</form>

This new form can now be located anywhere (a Web server is not even necessary, since it only needs to be readable by a Web browser), and the form can be manipulated as desired. The absolute URL used in the action attribute causes the POST request to be sent to the same place.

你可以把这个全新的表单放到任何地方(甚至都不需要 Web 服务器,只需要能够能够让浏览器读取到就行了),现在这个表单可以随意伪造了。在 action 属性里使用绝对 URL 可以让 POST 请求发送到相同的地方去。

This makes it very easy to eliminate any client-side restrictions, whether HTML form restrictions or client-side scripts intended to perform some rudimentary data filtering. In this particular example, $_POST['color'] is not necessarily red, green, or blue. With a very simple procedure, any user can create a convenient form that can be used to submit any data to the URL that processes the form.

我们原本预期不管是 HTML 表格本身限制还是客户端脚本能够做一些起码的数据过滤,但是这样做可以非常容易的躲避客户端的限制。在这个特定的例子里,
$_POST['color'] 就不限制于 redgreenblue 这三个取值了。通过这样一个小手段,任何人都能创建一个简单的表单,而这个表单可以向处理原来的表单的 URL 提交任何数据。