Tuesday, March 18, 2014

Cross site request forgery (CSRF) Protection in PHP

Nowadays almost every website applies CSRF protection in their forms to make it more secure and safe. In this post i'll be first create a Class called Security and then we'll be making some methods to achieve the goal of making a Cross Site Request Forgery secure forms. Because of Cross site request forgery vulnerability an attacker can simply submit or process the form on behalf of the user without knowing of the users. This kinds of attacks are mainly done on E-commerce websites to place bogus orders.

Creating the Class:
Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. Class Security
  2. {
  3.     public static function getToken()
  4.     {
  5.         $token = sha1(uniqid());
  6.         $_SESSION['token'] = $token;
  7.         return $_SESSION['token'];
  8.     }
  9.  
  10.     public static function checkToken($token)
  11.     {
  12.         if (isset($_SESSION['token'])) {
  13.             if ($token == $_SESSION['token']) {
  14.                 unset($_SESSION['token']);
  15.                 return true;
  16.             }
  17.         }
  18.  
  19.         return false;
  20.     }
  21. }

Using the Class:
Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. <?php
  2.   session_start();
  3.  
  4.   if (isset($_POST['uname'], $_POST['token'])) {
  5.     if (!empty($_POST['uname']) && !empty($_POST['token'])) {
  6.       if (!Security::checkToken($_POST['uname'])) {
  7.         // Show the error or redirect on home page!
  8.         header('Location: index.php');
  9.         die();
  10.       }
  11.  
  12.       // Succeed!
  13.       print_r($_POST);
  14.     }
  15.   }
  16. ?>
  17. <html>
  18.   <head>
  19.     <title>CSRF - TheCodePress</title>
  20.   </head>
  21.   <body>
  22.     <form action="index.php" method="POST">
  23.       <label>Email:</label><br />
  24.       <input type="text" name="uname" placeholder="Username" />
  25.       <input type="hidden" name="token" value="<?php echo Security::getToken(); ?>" />
  26.     </form>
  27. </body>
  28. </html>
What we are doing here is first creating the class and then creating the 'Static' methods. The first thing what we have done is to get the token and then to inject it into our HTML using hidden input field. We have chosen hidden input type because we don't want the token (hash) to be displayed on our webpage.
We are also saving the token in the session so that we can verify it when user submits the form.

To verify the token we have build up a method called 'checkToken()' which firsts checks whether the token in set or not and then checks whether the token submitted by the user matches the token saved in our session. If it is then it first unset the session and then it returns a boolean value TRUE. If not then it returns FALSE.

Note:
Make sure you before using the Class you use session_start() function to start the session.

1 comment:

Your Comment Will Be Visible After Approval, Thanks !