douxun3496 2014-08-05 03:05
浏览 51
已采纳

攻击者可以在关闭JavaScript的情况下绕过Ajax Form

I have a form on my website with all the validation done on jQuery and PHP and sanitizing done by PHP of user information's. A quick question came into my mind.

Can a attacker (Hacker) bypass Ajax Form with JavaScript Switched Off?

Here is the HTML

<form action="" method="post" id="form-contact-us" enctype="multipart/form-data">
<input type="hidden" id="action" name="action" value="contact">
<input type="text" class="hide" value="" name="challenge" id="challenge">
<div class="col-md-6 mt-10">
    <label>Your Full Name&nbsp;<span class="required">*</span></label>
    <input type="text" class="form-control" id="name" name="name" placeholder="Your Full Name">
</div>
<div class="col-md-6 mt-10">
    <label>Your Email Address&nbsp;<span class="required">*</span></label>
    <input type="text" class="form-control" id="email" name="email" placeholder="Your Email Address">
</div>
<div class="col-md-6 mt-10">
    <label>Phone Contact</label>
    <input type="text" class="form-control" id="phone" name="phone" placeholder="Phone Contact">
</div>
<div class="col-md-6 mt-10">&nbsp;</div>
<div class="col-md-6 band mt-10">
    <label for="firstname">Your Message&nbsp;<span class="required">*</span></label>
    <textarea class="form-control" rows="3" id="message" name="message"></textarea>
</div>
<div class="btn-group band">
    <span id="loader"></span>
  <button type="submit" class="btn btn-primary pull-right" style="margin-right: 14px; border-radius: 0px;">SEND <span class="glyphicon glyphicon-chevron-right"></span></button>
</div>
    </form>

JavaScript

$("form#form-contact-us").on("submit", function (){
    var form, challenge, name, email, phone, message;
    form = $("form#form-contact-us").serialize();
    challenge = $("#challenge").val();
    name = $("form#form-contact-us #name").val();
    email = $("form#form-contact-us #email").val();
    phone = $("form#form-contact-us #phone").val();
    message = $("form#form-contact-us #message").val();

    challenge = $.trim(challenge);
    name = $.trim(name);
    email = $.trim(email);
    phone = $.trim(phone);
    message = $.trim(message);

    $("div#msg").removeClass("alert alert-danger alert-success").html("");

    if( challenge.length > 0 ){
        return false;
    } else if( !name || !email || !message ){
        $("div#msg").fadeIn("fast").addClass("alert alert-danger").html("All the fields marked with * is required.");
    } else if( !mask2.test(name) ){
        $("div#msg").fadeIn("fast").addClass("alert alert-danger").html("Your full name format is invalid.");
    } else if( !mask5.test(email) ){
        $("div#msg").fadeIn("fast").addClass("alert alert-danger").html("Your email address format is invalid.");
    } else if( name.length < 3 ){
        $("div#msg").fadeIn("fast").addClass("alert alert-danger").html("Your full name cannot be less then 3 letters.");
    } else if( email.length < 5 ){
        $("div#msg").fadeIn("fast").addClass("alert alert-danger").html("Your email address cannot be less then 5 letters.");
    } else if( phone != "" && !mask4.test(phone) || phone.length < 7 || phone.length > 11 ){
        $("div#msg").fadeIn("fast").addClass("alert alert-danger").html("Please enter your phone number.");
    } else if( message.length < 5 ){
        $("div#msg").fadeIn("fast").addClass("alert alert-danger").html("Your message cannot be less then 5 letters.");
    } else {
        $("#form-contact-us .btn-primary ").text("Please Wait...").prop('disabled', true);
        $("#form-contact-us .btn-primary").addClass("disabled");
        jQuery.ajax({
            type:"POST",
            url: "/wp-admin/admin-ajax.php",
            data: form,
            success:function(data){
                var data = data.split("|");
                var code = $.trim(data[0]);
                var msg = $.trim(data[1]);
                if( code == 1 ){
                    $("div#msg").fadeIn("fast").addClass("alert alert-success").html(msg);
                    $("#form-contact-us").fadeOut("fast");
                } else {
                    $("div#msg").fadeIn("fast").addClass("alert alert-danger").html(msg);
                     $("#form-contact-us .btn-primary ").text("SEND <span class=\"glyphicon glyphicon-chevron-right\"></span>").attr('disabled', true);
                }
                $("#form-contact-us #loader").html("");
                $("#form-contact-us .btn-primary").removeClass("disabled");
            }
        });
    }
    return false;
});

PHP

function contact(){
    if($_SERVER["REQUEST_METHOD"] == "POST"){
        if(isset($_POST["challenge"]) && trim($_POST["challenge"]) == ""){
            $name = $_POST["name"];
            $email = $_POST["email"];
            $phone = $_POST["phone"];
            $message = $_POST["message"];

            $name = trim($name);
            $email = trim($email);
            $phone = trim($phone);
            $message = trim($message);

            if( empty($name) or empty($email) or empty($email) or empty($phone) or empty($message)){
                die("0 | All the fields marked with * is required.");
            } else if ( !preg_match('/^[a-zA-Z ]+$/', $name)){
                die("0 | Your full name format is invalid.");
            } else if ( strlen($name) < 3 ){
                die("0 | Your full name cannot be less then 3 letters.");
            } else if ( !is_email($email) ){
                die("0 | Your email address format is invalid.");
            } else if ( strlen($email) < 5 ){
                die("0 | Your email address cannot be less then 5 letters.");
            } else if ( !empty($phone) and strlen($phone) < 7 or strlen($phone) > 11 ){
                die("0 | Please enter your phone number.");
            } else if ( strlen($message) < 5 ){
                die("0 | Your message cannot be less then 5 letters.");
            } else if ( check_for_spam($name) > 0 ){
                die("0 | Please remove any links from your full name.");
            } else if ( check_for_spam($phone) > 0 ){
                die("0 | Please remove any links from What would you like to know phones.");
            } else if ( check_for_spam($message) > 0 ){
                die("0 | Please remove any links from your message.");
            } else {
                $name = sanitize_text_field($name);
                $email = sanitize_text_field($email);
                $phone = sanitize_text_field($phone);
                $message = sanitize_text_field($message);

                $name = remove_html($name);
                $email = remove_html($email);
                $phone = remove_html($phone);
                $message = remove_html($message);

                $name = esc_html($name);
                $email = esc_html($email);
                $phone = esc_html($phone);
                $message = esc_html($message);

                /* All Good */

            }
        }
    }
}
  • 写回答

1条回答 默认 最新

  • dongxie3352 2014-08-05 03:15
    关注

    An attacker can send a form without using the HTML you provide him. In your case, your form is using POST method.

    POST /code.php

action    => contact
challenge => 
name      => a_name
email     => an_email
phone     => a_phone
message   => a_message

    If challenge is a security token or something generated by a Javascript function, the attacker can of course emulate this function and get this challenge and submit the form.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 ETLCloud 处理json多层级问题
  • ¥15 matlab中使用gurobi时报错
  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂
  • ¥15 wordpress 产品图片 GIF 没法显示