PHP-Nuke Titanium HQ
     
Lonestar Nuke-Evolution Modules
PHP-Nuke Titanium v4.0.4 / PHP v8.2.17
Sponsor Tron for PHP-Nuke Titanium
::: There is so much more here to see, it takes 30 seconds to register an account and we don't even verify with e-mail! Just register we promise you won't be sorry... ::: Login or Register
IPHub is an IP lookup website featuring Proxy/VPN detection. A free API is available, so you can perform fraud checks on online stores, detect malicious players on online games and much more! Look at this! Click here Look at this! to sign up for FREE today at ipHub ::: Country Music: The Soul Circus Cowboys ::: Sponsor: Brandon Maintenance Management, LLC Phone: 813-846-2865 ::: Sponsor: Big Country Radio - The EJ Morning Show :::

Warning: Undefined array key "session_logged_in" in /home/dev4/public_html/includes/auth.php on line 268

Warning: Undefined array key "session_logged_in" in /home/dev4/public_html/includes/auth.php on line 268

Warning: Undefined array key "session_logged_in" in /home/dev4/public_html/includes/auth.php on line 268

Warning: Undefined array key "session_logged_in" in /home/dev4/public_html/includes/auth.php on line 268

Warning: Undefined array key "session_logged_in" in /home/dev4/public_html/includes/auth.php on line 276

Warning: Undefined array key "session_logged_in" in /home/dev4/public_html/includes/auth.php on line 276

Warning: Undefined array key "session_logged_in" in /home/dev4/public_html/includes/auth.php on line 268

Warning: Undefined array key "session_logged_in" in /home/dev4/public_html/includes/auth.php on line 268

Warning: Undefined array key "session_logged_in" in /home/dev4/public_html/includes/auth.php on line 268

Warning: Undefined array key "session_logged_in" in /home/dev4/public_html/includes/auth.php on line 268

Warning: Undefined array key "session_logged_in" in /home/dev4/public_html/includes/auth.php on line 328

Warning: Undefined array key "session_logged_in" in /home/dev4/public_html/modules/Forums/viewtopic.php on line 406

Warning: Undefined array key "session_logged_in" in /home/dev4/public_html/modules/Forums/viewtopic.php on line 536

Warning: Undefined array key "session_logged_in" in /home/dev4/public_html/modules/Forums/viewtopic.php on line 788

Warning: Undefined array key "session_id" in /home/dev4/public_html/includes/functions.php on line 1015

 
Recent Topics   Next 5 >>  
Forum Replies Last Post
Oh yes ! Now here is some Northern fried wierd shit! 💩
Started by RECTOR
PHP-Nuke Titanium - Modules (Root) 13 Thu Oct 26, 2023 5:33 pm
by Technocrat
What year is it!?
Started by Technocrat
PHP-Nuke Titanium - Community 0 Thu Oct 26, 2023 5:05 pm
by Technocrat
Dragonfly
Started by Critical
PHP-Nuke Titanium - Community 2 Thu Apr 20, 2023 6:50 am
by Critical
Can you PM me the private link to the PHP 9 Repo
Started by YuckFou
PHP-Nuke Titanium - PHP 1 Tue Apr 18, 2023 11:08 am
by CodeBuzzard
Your_Account Module question?
Started by CyBorg
PHP-Nuke Titanium - Modules (Root) 1 Thu Apr 06, 2023 7:39 am
by Negan

PHP CSRF Protection via Anti-CSRF Token
Post new topic Reply to topic printer-friendly view List users that have viewed this topic Thank Post   Forum Index PHP-Nuke Titanium - PHP
View previous topic View next topic
HereDoc Reply with quote
Developer
Portal Member
Joined Feb 07, 2023
Reputation: 1.3
online
PHP CSRF Protection via Anti-CSRF Token
by HereDoc Wed Feb 15, 2023 3:43 am

PHP CSRF Protection via Anti-CSRF Token

Start by downloading the files needed from the GitHub Repo
https://github.com/steveclifton/phpcsrftokens

PHP is widely used in almost all popular CMSs on the internet today. PHP has a role to play even in this blog that you are reading. However, at times people using PHP to build their sites skip the security practices. This leaves the PHP site vulnerable and makes it susceptible to malware attacks. As a result, the internet is full of questions asked by users regarding how to secure a PHP site. What is more alarming is that in the case of a CMS, multiple modules share the same part of a PHP code. If the code is vulnerable, it can make all the modules vulnerable as well.

What is Cross-Site Request Forgery in PHP?

OWASP defines Cross-Site Request Forgery (CSRF) as a kind of attack that takes place when a malicious web resource (email, website, etc.) or program makes the user perform something unwanted on another website that the user is already authenticated for. Before explaining how to secure a PHP site against CSRF, let me explain it in more simple terms.

Suppose you have logged in to a bank website named www.example-bank.com. Now, for instance, take a malicious site i.e., www.malicious-site.com. For the attack to happen, you should be logged in to your bank site and then visit the malicious site. Thereafter, the malicious site will make you perform an unwanted action like clicking a button, and so on. As soon as that happens, the malicious site (www.malicious-site.com) will send a request to your bank site (www.example-bank.com). Now, since the bank has no CSRF mechanism, it will execute the request. This is because your browser sent that request along with your session cookies automatically. The bank is unable to determine if the request was generated by you or another malicious site. Now that you have an idea about CSRF attack, let us next learn how to secure a PHP site against it.



How to Protect PHP Site Against CSRF

One of the most widely used methods to secure a PHP site against CSRF is by using tokens. These are also known as Anti-CSRF tokens and contain secure and random values. So, even when the attacker makes you perform an unwanted action, the website won’t execute it because the Anti-CSRF token value will be wrong. Most of the popular PHP frameworks provide an Anti-CSRF token to secure a PHP site. However, in case you are building things from scratch or you missed something, you can do it manually too. To do so, you can follow these steps: Is your PHP site hacked due to a CSRF bug?

Step 1: Creating a PHP file to manage anti-CSRF token operations

Firstly, we need to create a PHP file manually like this one which contains various functions to:


  • Get session tokens and cookies
  • Verify the CSRF token and cookies
  • Handle the timeout of a CSRF token
  • Generate secure random tokens
 

You can use the code of this author free of charge as it is MIT licensed. However, if you wish to make changes, beware of certain things. For instance, the PHP function rand() is predictable and the function md5() doesn’t add entropy. Also, to compare the Anti-CSRF token hashes, do not use == or even === if you wish to secure a PHP site against CSRF attacks.

Step 2: Importing functions

Once the PHP file is created to handle the Anti-CSRF token operations, the next thing to do would be to ensure that this is seen on each page. This can be done by the require_once statement. It will check if the file has already been included and if not, include it again. So, for instance, if it is in the /home/www/site/, then add it accordingly. Thereafter, import our functions to manage Anti-CSRF tokens by the use statement of PHP. When they are combined, it would look like this:

PHP:  [ Select all ]

require_once __DIR__ /home/www/site/;

use 
steveclifton\phpcsrftokens\Csrf


Step 3: Creating session and verifying anti-CSRF token

Now start a session using the session_start() method of PHP. Thereafter, within the same block, we will call another function named verifyToken(‘home’) which is already present in the CSRF class of our imported file. This function will help us to determine token and cookie matches and mismatches. It is important to secure a PHP site against CSRF attacks. All of them combined would look like this:

PHP:  [ Select all ]

require_once __DIR__ /home/www/site/;

use 
steveclifton\phpcsrftokens\Csrf;

session_start();

if (!empty(
$_GET['a'])) {
 
 echo (Csrf::verifyToken('home') ? 'success' 'unsuccessful');


Note: For PHP 7.1.0, session_start() returns FALSE when it failed to start the session instead of initializing $_SESSION.

Step 4: Embedding anti-CSRF token generating function in HTML

Finally, let us add our imported function which generates Anti-CSRF tokens into our HTML elements i.e., forms. This can be done by calling the function getInputToken(‘home’) of the CSRF class in our imported file. For more info, see the code snippet below added to an HTML form:

Code: [ Select all ]

<DOCTYPE>
<html>
<head><title>Test Script</title></head>
<body>
  <form action="?a=submit" method="POST">
    <php>
    <input type="text" name="name">
    <button>Submit!</button>
  </form>
</body>
</html>


Now your Anti-CSRF token mechanism is ready to go. This is the final code that answers your question of, “How to secure a PHP site against CSRF attacks?”.

PHP:  [ Select all ]

require_once __DIR__ /home/www/site/;

use 
steveclifton\phpcsrftokens\Csrf;

session_start();

if (!empty(
$_GET['a'])) {
 
 echo (Csrf::verifyToken('home') ? 'success' 'unsuccessful');


PHP:  [ Select all ]

echo"<DOCTYPE>"
 
 "html>"
 
 "head><title>Test Script</title></head>"
 
 "body>"
 
 " <form action="?a=submit\" method="POST\">"
 
 "   '.Csrf::getInputToken('home').'"
 
 "   <input type="text\" name="name\">"
 
 "   <button>Submit!</button>"
 
 " </form>"
 
 "/body>"
 
 "/html>"


PHP CSRF Protection – Conclusion

This is just one mechanism to secure a PHP site against CSRF attacks. There are a variety of other security mechanisms that can be used.



Back to top
View user's profile Send HereDoc a private message
Display posts from previous:

Post new topic Reply to topic printer-friendly view List users that have viewed this topic Thank Post   Forum Index PHP-Nuke Titanium - PHP All times are UTC - 5 Hours

Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Related topics
 Topics   Replies   Author   Views   Last Post 
No new posts [ Poll ] How do you Edit your PHP-Nuke Titanium Code? 0 TheGhost 816 Sat Feb 11, 2023 10:48 pm
TheGhost View latest post
No new posts Browser Download Testing 5 TheGhost 1589 Sun Feb 05, 2023 12:04 am
TheGhost View latest post
No new posts What numb nut wrote code to strip the extension from the avatars? 0 CyBorg 706 Tue Dec 13, 2022 8:28 am
CyBorg View latest post
No new posts How do I disable select on my web page? 1 CodeBuzzard 750 Tue Nov 01, 2022 6:29 pm
TheGhost View latest post
No new posts Fixing code errors in the entire CMS from years gone back... 1 CodeBuzzard 990 Tue Nov 01, 2022 3:37 pm
TheGhost View latest post