|
PHP - Csrf Prevention
I have a question about Cross-Site Request Forgeries (CSRF).
Somewhere in the processing of my form, I check: if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) { // all other code omitted } else { // no place for bad guys here } So basically, if the token is good then the form continues to check for errors, valid data, etc... I was wondering; is there a point in checking the token again each time I check something else? For example: // above code omitted if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) { // all other code omitted // check to see if there were any errors if (count($errors) >= 1) { $valid = false; } else { // all other code omitted if ($sent == $allowed) { if ($addNew == true) {// Should I be checking the token each time, or am I being redundant?? // all other code omitted } } } } else { // no place for bad guys here } Similar TutorialsHi, I'm trying to understand any how I can block all users trying to view my website through proxies. With the following code, what I have done is a quick version through php (with headers and ports) and not the firewall which isn't exactly the best way but still stops a lot of them.
<?php
$user_ip = $_SERVER['REMOTE_ADDR'];
$headers = array('CLIENT_IP','FORWARDED','FORWARDED_FOR','FORWARDED_FOR_IP','VIA','X_FORWARDED','X_FORWARDED_FOR','HTTP_CLIENT_IP','HTTP_FORWARDED','HTTP_FORWARDED_FOR','HTTP_FORWARDED_FOR_IP','HTTP_PROXY_CONNECTION','HTTP_VIA','HTTP_X_FORWARDED','HTTP_X_FORWARDED_FOR');
foreach ($headers as $header) {
if (isset($_SERVER[$header])) {
header("Location: /proxy-not-allowed/");
die;
}
}
$queryIP = "SELECT `user_ip_address` FROM `my_table` WHERE `user_ip_address` = :user_ip_address AND `user_blocked` = :user_blocked LIMIT 1";
$queryIP1 = $pdo->prepare($queryIP);
$queryIP1->execute(array(':user_ip_address' => $user_ip, ':user_blocked' => 'No'));
$queryIP2 = $queryIP1->rowCount();
if ($queryIP2 === 0) {
$ports = array(80, 81, 553, 554, 1080, 3128, 4480, 6588, 8000, 8080);
foreach ($ports as $port) {
$connection = @fsockopen($user_ip, $port, $errno, $errstr, 0.1);
if (is_resource($connection)) {
header("Location: /proxy-not-allowed/");
die;
}
}
}
?>
The headers script blocks any proxy sending those headers while the ports script blocks those using any assigned ports I add. I have tested this which seems to be good, though it won't block all proxies due to the assigned one I have. Is this the best way to go about blocking scripts if I don't have access to the firewall? What I am trying to do is allow users to view my HTTPS website normally and block all proxies. Even if I have some users blocked, I do not want them to be cheeky and use a proxy or even register on my website through a proxy. I was thinking of just using the 443 port as my website is https (is that wise?). Any advice would be great. Edited January 4, 2019 by Cobra23
$sql="SELECT COUNT(*) as conflicts
how do I get the value of the conflicts im now very clueless Hi all, last few days i searched my butt of on articles about this topic but most don't seem to provide a solution, more a general idea of what it is. So i thought i mix up some functions and asks you guys to see if this could be a working example to prevent directory traversal and the prevention of including remote files. So the files should be on my server. What i try to do is to retrieve a $_GET['variable'] which stands for a filename and afterwards include this file name if the file exists. Any tips and tricks are welcome. if (file_exists(basename(realpath($_GET['filenamehere'])))){ echo 'file exists'; }else{ echo 'file doesn\'t exist'; } thanks in advance! Hey Guys! I have the following Working php script (receives the variables from Flash) //LOGIN! if ($action == "login") { //retreive data from flash $username=mysql_real_escape_string($_POST['Username']); $password=mysql_real_escape_string($_POST['txtPassword']); $result = mysql_query("SELECT name, activated from buyers WHERE email = '$username' AND password = md5('$password')"); $cant = 0; while($row=mysql_fetch_array($result)) { echo "name$cant=$row[name]&activated$cant=$row[activated]&"; $cant++; } echo "cant=$cant&"; if (mysql_num_rows($result) > 0) { echo "status1=exists"; } else { echo "status1=Incorrect Login"; } } As you can see I have used mysql_real_escape_string for the variables $username and $password that are coming from Flash. I would really appreciate some guidence if this is the only safe code I need in this script? For example: Does $action == "login" need also mysql_real_escape_string ?? That variable $action is also coming from flash (but is not inputted by a user) Any ideas? Thanks in advance, Cheers! How much work do you to stop CSRF? Like, I've made sure when changing passwords/e-mails (or anything related to account security) they have to confirm their own password so CSRF can't really do much. I've got a header referral check on everything but this is really easy to spoof so without putting hidden tokens in each form is there any easier way? I can't really be bothered and the worst thing they can do is get a user to post a spam post on my forum or something trivial. How far do you take it? hey guys,
i was introuduced the the world of csrf a little while ago by a member of PHP Freaks, beofore hand i had'nt a clue...so i decided to read a little more into and created a class to deal with generating tokens and ensuring the site is free from CSRF.
now my understanding is that a CSRF can be made from clicking on sponsers, images and basically anything that can cause a request to another site/domain.
now with the script allows the user to have multipule tokens and a new token is generated everytime when filling a form or whatever, allowing user to have more than one tab open. I'm just a little concerned that a CSRF attack can still be made this way as a new token is made on each form page.
when creating a form i do this:
<input name="csrf_token" type="hidden" value="12345" />then on post im able to do something like this:
$token = $csrf->get_token(); // token for input
if ($csrf->is_safe($post->csrf_token) && form->is_valid())
{
echo "safe"
}
else
{
echo "unsafe";
}
here is my class
<?php
namespace Security;
use Session\Session as Session;
use Security\SSL;
class CSRF
{
protected $_expiration = "3600";
public function get_token($expiration = null)
{
$ssl = new SSL;
$token = $ssl->random_string(20);
$session = new Session;
$session->start();
if ($expiration === null)
{
$expiration = $this->_expiration;
}
else if (!is_numeric($expiration))
{
// error
}
if (!$session->offset_exists('csrf_token'))
{
$session->csrf_token = array();
}
$expiration = time() + $expiration;
$session->append('csrf_token', array('token' => $token,
'expiration' => $expiration
));
return $csrf_token;
}
protected function token_exists($token)
{
$session = new Session;
$session->start();
$csrf_token = $session->csrf_token;
$result = false;
foreach ($csrf_token as $key => $array)
{
if (time() > $array['expiration'])
{
$session->offset_unset('csrf_token', $key);
}
else if ($array['expiration'] > time()&&
$array['token'] === $token)
{
$session->offset_unset('csrf_token', $key);
$result = true;
}
}
return $result;
}
public function is_safe($token)
{
if ($this->token_exists($token))
{
return true;
}
return false;
}
}
any advise would be greatful, thank you
Edited by Destramic, 11 January 2015 - 04:27 PM. As the title says, I would like to know how exactly CSRF can be 100% (or close to it) prevented.
One of the most recommended solutions is to create a token and insert it into a hidden field, but I've tested it on another domain and you can just do a cURL request and retrieve the token then make another request with it included. Proof:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "URL");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$response = curl_exec($ch);
curl_close($ch);
$exploded = explode('type="hidden" name="token" value="', $response);
$token = substr($exploded[1], 0, 64);
echo $token; // ebd9ab96d40bdb21bbaa2e1a18d657be2e413105ae86ecc14def6137f38a1571
?>
I would hate to include captcha on all my forms, so how exactly does one prevent CSRF?
Hi - My app is built with Codeigniter and so if I turn on CSRF on CI inside the config I get the token being created on my page - good.
But I have 1 page ( "shopping cart") which uses Scriptaculous Ajax.Updater function : http://api.prototype...x/Ajax/Updater/
When I turn on CSRF my shopping cart page refuses to function in terms of updating the cart or deleting any items from the cart. These are both js functions.
I am really stuck - any help would be a God send. Thank You !!
Here is the code:
UpDate JS Function:
function jsUpdateCart(){
var parameter_string = '';
allNodes = document.getElementsByClassName("process");
for(i = 0; i < allNodes.length; i++) {
var tempid = allNodes[i].id;
var temp = new Array;
temp = tempid.split("_");
var real_id = temp[2];
var real_value = allNodes[i].value;
parameter_string += real_id +':'+real_value+',';
}
var params = 'ids='+parameter_string;
var ajax = new Ajax.Updater(
'ajax_msg','http://localhost/mysite/index.php/welcome/ajax_cart', {method:'post',parameters:params,onComplete:showMessage}
);
}
This topic has been moved to Ajax Help. http://www.phpfreaks.com/forums/index.php?topic=323434.0 Hi all, I'm writing my own MVC framework purely to improve my oo php skills and I've created a CSRF token validation class to help prevent CSRF attacks. I just need some feedback on it really, is it insecure, is there a better way to validate tokens, etc. Code: [Select] <?php // Security measure. if (!defined('BASE_PATH')) { exit(); } class CSRF { private static $tokens = array(); private static $session_name = 'csrf_data'; /** * Loads CSRF token data from session into $tokens array. * * This is called before the controller is loaded. * * @return void */ public static function init() { $session_name = self::$session_name; // Move CSRF token data from session to class field. if (isset($_SESSION[$session_name])) { self::$tokens = unserialize($_SESSION[$session_name]); unset($_SESSION[$session_name]); } } /** * Saves the CSRF data to a session. * * @static * @return void */ private static function save() { $session_name = self::$session_name; unset($_SESSION[$session_name]); $_SESSION[$session_name] = serialize(self::$tokens); } /** * Creates a new token. * * @static * @param string $name * @return string */ private static function generateToken($name) { $token = md5(uniqid(rand(), true)); self::$tokens[$name] = $token; self::save(); return $token; } /** * Validate a token by its name. * * @static * @param string $name * @param string $token The CSRF token included with the form data. * @return bool */ public static function validateToken($name, $token) { if (!isset(self::$tokens[$name])) { return false; } return ($token == self::$tokens[$name]); } } // End of CSRF class. I know, csrf token is like a random string. Does every form need a csrf token? Does every form need to have a different csrf token or all forms have a same csrf token for one logged in user? When an user logged in, I set $_SESSION['key']=$useremail; is it ok to set email for a logged in session? Do I have to set or add another $_SESSION with csrf token? How does csrf token add security for form submission? After form submission, what would PHP do with the hidden input field or with the csrf token? Someone parses the html login form and gets the csrf token from hidden field. Now can he request with that csrf token to login through jquery ajax? |
|||||||