One of the most common attacks on Web applications is called spoofing forms. It happens when a malicious user performs numerous posts followed from an unmapped site. This makes it possible to bring down a server, since a high number of simultaneous requests can, at any given time, prevent its operation.

The word ‘spoof’ was originated from a British comedian named Arthur Roberts (1852-1933), who invented a game called Spoof involving “artifice” and “absurd”. The word spoof was first recorded in 1889, also with the meaning of “deceive”. As a result, they are now less widely used than in the sense of “parody” or “satirical imitation”, first recorded in 1958, and in order to “satirize gently”, first recorded in 1927.

Spoofing attacks can happen in any type of web application or site. Therefore, the form should have applied a number of practices that protect this kind of attack.

The first preventive measure against spoofing attack is the use of session validators. The so-called captchas protect posting form, forcing the user to resolve an issue before the information was effectively persisted in the database.

Simpler robots, those responsible for the automatic postings, cannot solve complex logical problems. Thus, the implementation of a simpler capctha could already solve the problem if there were no more intelligent robots. Some of them have a capacity of more than troubleshooting, but their cost of acquisition and production cannot compensate for the users who do not have a clear intention.

In PHP, you can still implement a control per session where a token can be used to validate that the posting of the session is the same user session logged into the system, as shown in the example below:

session_start();

if(isset($_POST[‘token’])){

if($_SESSION[‘token’] == $_POST[‘token’]){

//valid post

}

}else{

$_SESSION[‘token’] = md5(time());

//add the token in a hidden input

}

With a single block, validating each step of the session you can ensure that the spoofing attack is not finalized.

Finally, it is concluded that good security practices implemented over the code ensures a much safer application and thus more quality and useful life to the system.

Check out more content on our blog!
Learn all about Scriptcase.

By ,

October 7, 2015

Share this post

a

You might also like…

“We have developed the Connected Citizen Card, which assists public administrators in decision-making and policy creation.”(Assist Soluções em TI)

Check below how Assist Soluções em TI used Scriptcase to modernize and streamline the development...

AI-Driven Software Development: The Role of ChatGPT

In the rapidly evolving world of technology, artificial intelligence (AI) is playing an increasingl...

Low-Code: The Key to Accessible Digital Transformation

Digital transformation is imperative for companies wishing to remain competitive in the current era...

You might also like…

Get new posts, resources, offers and more each week.

We will use the information you provide to update you about our Newsletter and Special Offers. You can unsubscribe any time you want by clinck in a link in the footer of any email you receive from us, or by contacting us at sales@scriptcase.net. Learn more about our Privacy Police.