CODEWITHSUNDEEP
phpsecurity
Michael Samuel
Michael Samuel

Reputation: 3920

PHP security concern

I'm using multiple services to accept mobile payments for stuff like virtual currency.

Many companies will include an MD5 signature in the POST or GET callback which I can calculate to verify that the request is authentic and then reward the user with the purchased credits.

This method is very secure as it's nearly impossible to guess the signature.

Other companies will not provide a signature and just tell me to check if the call is from their server IP like the following code:

<?php 

  if(!in_array($_SERVER['REMOTE_ADDR'],array('xxx.xx.x.xx'))) {
     header('HTTP/1.0 403 Forbidden');
     die('Error: Unknown IP');
  }

?>

Is this IP check secure enough?? Isn't it now very easy to spoof an IP address and make a GET or a POST request using that IP?

Upvotes: 2

Views: 94

Answers (2)

ircmaxell
ircmaxell

Reputation: 165201

The other answers are incorrect. So I'll write my own.

With the exception of exceedingly rare situations, REMOTE_ADDR is 100% trust worthy. It comes from the TCP connection to the server, so it's practically impossible to forge without actually compromising something on the network (like the router the IP belongs to) or without having your server misconfigured (severely, Apache doesn't even let you misconfigure it like that).

So, there are two questions that I can see:

Is it safe to trust REMOTE_ADDR

Yes.

If the REMOTE_ADDR variable in PHP indicates the request came from their server, then it came from their server.

If you're using a remote proxy, then X-HTTP-FORWARDED-FOR is not to be trusted. That's where you can get into problems if you're not careful.

Is MD5() of the request safer than REMOTE_ADDR verification

NO!!!

It's a lot easier to forge an MD5 signature than it is to forge an IP address (which requires you to breach specific network hardware). And if the attacker breaches the network hardware, the game is over anyway.

What's The Best Solution?

The best solution is three fold:

  1. Use HTTPS with Certificate Pinning

    On your app, store the public key of their server. Then force the peer verification to use that certificate. That means that an attacker would need to steal the certificate of the remote server to be able to connect.

  2. Verify IP Addresses

    Using REMOTE_ADDR

  3. Sign requests using HMAC+SHA2

    Use HMAC with SHA-256 or SHA-512.

But yes, the IP check alone is quite secure.

To go deeper, we'd need to go into what types of attacks you're defending from.

Upvotes: 4

Bhavya Shaktawat
Bhavya Shaktawat

Reputation: 2512

Relying on server remote address is not a secure way since IP spoofing can breach the security.

But yes there are some ways by which you can prevent it like key exchange between the machines but still there is no assurance.

Better you should not rely on IP based security.

Upvotes: 1

Related Questions