Does html form submit to self cause any security issues?

Question

I tried to look through SO for similar question but I couldn't find one, also searched through the web with my best effort, sorry if it's a silly/duplicate question

The focus of my question is :

If I have a form with a unencoded password in it, is it "safe" to pass the form back to [self] i.e. <form action="">

EDIT: I would like to focus on security regarding third parties, assuming the user himself is NOT the hacker.

I this is a broad question, so I would like to narrow it down to:

1. does server handle submit form to self as a internal-forward thing or do it actually treat is as a normal server-to-server http call?

2. Is it possible to somehow intercept the form submit and extract the password from this action? (including things like tapping the connect between server and client??)

If anyone knows any potential security problem in general for [submit to self], feel free to leave it as answer so that future SO user might benefit from it, thanks.

Answer 1

The only thing safe regarding submitting data to a webpage is to never trust the users input.

Now regarding your 2 questions:

1. submitting the form will be handled as a regular request, albeit a POST request probably.
2. internet traffic can be captured, so if you're sending password data over the internet you'd better make sure it's over HTTPS.

Using a developer tool like Mozilla's FireBug it's pretty easy to change all the data that is submitted through the form. You don't even have to use your webpage, one can easily spoof a POST request to your page by using a tool like Telnet.

So I'd say it doesn't really matter what the action of the form is; use HTTPS if possible and always validate the input...

Answer 2

Whether you submit your form to the same page or not has no security implications. There are many other things you can/should do to secure your forms. Submitting-to-self is irrelevant. It could however pose a UX annoyance. Have you ever tried refreshing a page only to have the browser try to resubmit the form.

1. Not a redirect. Normal post. However to mitigate this UX annoyance I mentioned, you would redirect to the same page after doing whatever you need to to with the data.

2. It depends on many other things other than whether the form submits to itself or not. Starting with is your form on a secure (https) server.

Answer 3

I was just searching for this types of posts. Yeah..

As far as i know, this is not a valid approach, attacker can change the methods to download the content like he can use the parameters from POST to GET. We actually have tools like tamper data which is an addon to the firefox browser. We can post the data or tamper the data which is in form submit. You can add this addon to your browser and you can check out that the data can be modified by clicking tamper before submitting the form. You can also check out the online http tampers, tamper data, modifying live headers to change your data. This may also result in sql injection. Correct me if im wrong. :) Cheers.

Answer 4

After many updates:

The action="" is the same as action="somefile" in sense of security. So there is nothing wrong with action="", and as far I know most websites treats forms like that. The most popular solution is to:

• At first check with PHP if there is any post data
• Check if this data is OK (safety, server side verification)
• Make something with data (save to database, mail to someone)
• Render the form with action="".

A quick example:

<?php
   $name = '';
   if (isset $_POST['name']) {
      $name = $_POST['name'];
      if (ctype_alpha(str_replace(' ', '', $name)) !== false) { // verify data
          // in that case name consist only letters and spaces, it is ok.
          // do something with data here, for example save to database
          header('Location: successfile'); // Remove post data after all
      }
   }

   // render form
   $name = htmlspecialchars($name); // if name was in POST, here it is!
   echo '<form action="" method="post" />'
       echo '<label id="name" name="name" value="'.$name.'" />';
   echo '</form>';
?>

In that case one file is doing two jobs. It checks for data and do something with it, and render form.

Please, remember that the form can be rendered using the "partly" data from submit (POST). So for example if someone enter his name with special characters, while you need name only with letters and spaces, the data is not missed. You can render form, and in input name value, you can enter the wrong posted data. So the form "remember" what was filled, and what was not filled.

Hope it helps