Re: IP Spoofing

SanfordWhiteman
Level 10 - Community Moderator

Re: IP Spoofing

What you're describing isn't secure at all. The referrer can be trivially forged by an absolute newbie.

So I hope that isn't what Alex means...

Rajesh_Talele3
Level 1

Re: IP Spoofing

I agree. I was asking if that was the service provider meant instead of IP address..

Do you think there is a way to use CSRF token mechanism if the service provides along with custom javascript on Marketo landing page in such instance?

SanfordWhiteman
Level 10 - Community Moderator

Re: IP Spoofing

Nope, because CSRF only applies to hijacking an authenticated session from an unauthenticated page. For example, without knowing a Marketo user's username and password, being able to trigger Marketo campaigns because you got them to go to your malicious site. (Note any worried lurkers: this is not possible! I'm describing the potential case that CSRF tokens are there to block.)

In this case Alex is talking about a Marketo LP (thus unauthenticated) posting data to an external service (perhaps expecting an API key, but if the end user is not to be prompted to enter the key, it must be embedded in the page where anyone can copy it). If it were possible to require a popup w/interactive authentication to the external service (not publishing the credentials to the world) that would be a different story.

You can cobble together pseudo-authentication for a Marketo form post using the Marketo Unique Code (blog post on that in the future). However, it doesn't happen interactively, it's something for the back end and could potentially take minutes to process under load. Similarly, you could use any custom field as a password-like (or password-lite!) field, so only if a certain field supplied by the end user matched this other (non-updateable) field would you continue processing. But that processing is still server-side, like via a webhook. And in both of the cases, the person has to enter something they know in advance, it's not a regular lead gen form post.

Tony_Mayse
Level 3

Re: IP Spoofing

If Sanford Whiteman‌ hasn't made it clear, this is a bad idea entirely.

The discussion has been very abstract. Right now you're getting very specific answers to your questions, but are left with many choices to make. To get more useful ideas, it might be helpful to explain your overall goal in simple terms so that we can help propose a workable solution.

Alex_Langridge
Level 2

Re: IP Spoofing

Thanks Tony.

I'll start a new question with a better question and clear suggestions.