In my website i have a website verification process based on a file
The user has to upload in his root directory a empty file with a filename like this:
site-verification-$user_id.html
then my script use the php get_headers() function to check if this file exist, for example:
$headers = get_headers( "$user_website/site-verification-$user_id.html" );
if( preg_match( "|200|", $headers[0] ) { // ... website verified
everything works fine, but my question is, can this process be spoofed?
Yes, actually it's really easy to trick this mechanism. You just have to set up a webserver to catch all requests (e.g. via Apache's mod_rewrite configuration) and answer every single one of them with a valid response including HTTP-Status-Code 200 - pretty easy to set up.
If the User-Agent and/or IP of your webserver is known it would even be possible to lie specifically to your server while keeping up correct responses to all other visitors.
To be sure that this doesn't happen, you should give the user a randomly generated key that is then required as the content of the named file. You should then save the filename and the key in a DB and check both for compliance (analogous to how you would handle a combination of username and password).
This method is similiar to e.g. how you authenticate as the owner of a domain at Google Webmaster Tools. You can be pretty sure that only someone with access to the server can deposit this code at the specified address.
Keep in mind that "someone with access to the server" might still be someone without legitimate access. Also, an attacker executing a MITM attack between your own server and the server you are checking could send back whatever is needed to fool your server. Well, but then everything is lost either way.
