CakePHP: Cross-Site Request Forgery (CSRF) Test

CakePHP: Cross-Site Request Forgery (CSRF) Test

CSRF

Cross-site request forgery (CSRF), also known as one-click attack or session riding is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.

How It Works?

There are various techniques used for CSRF attacks. Let’s take the example of changing an email address of a logged-in user, by using a form with the required fields to change.

Ex:

[code language=”html”]
<form name="myform" action="http://myweb.com/profile" method="POST">
<input name="email" type="text" value="xyz@gmail.com" />
<input name="name" type="text" value="john" />
<input type="submit" value="Save"/>
</form>
[/code]

Here the victim has to submit the form.

Alternately:

[code language=”html”]
<body onload="document.forms[0].submit()">
<form name="myform" action="http://myweb.com/profile" method="POST">
<input name="email" type="hidden" value="xyz@gmail.com"/>
<input type="hidden" name="name" value="john"/>
<input type="submit" value="Save"/>
</form>
</body>
[/code]

Here, the form gets automatically submitted when loaded in the browser. The attacker can now change the authenticated users of “myweb.com” email address easily.

Note: it is not easy for attackers to use ajax call to perform the above operation since most of the modern browsers have same-origin policy restrictions.

How to Prevent Such Attacks:

Let’s take the same example as above & prevent the CSRF attack.

Here are the Steps to be followed:

Step#1: Generate a unique token (256 char string) for each session, i.e. for every user login to the system, there should be a unique token associated. Store the token in the session.

[code language=”html”]
if(!isset($_SESSION[‘CSRFTOKEN’])){
$tokn = $this->Format->genRandomStringCustom(25);
$_SESSION[‘CSRFTOKEN’] = $tokn;
}
[/code]

For CakePHP, do this in App Controller.

Step#2: Add this token to every form while doing any operations such as saving your profile information like email, password, first name or the last name. For this follow the below guidelines:

Take profile.ctp for our example and add the below code to profile.ctp:

Add a hidden field to the form.

Example:

[code language=”html”]
<form id=”formId” method="POST" action="http://myweb.com/profile">
<input id=”csrftoken” type="hidden" value=” ” name=”csrftoken" />
…..

<input value="Save" type="button" onclick=”addCsrfToken(‘formId’)”/>
</form>
[/code]

Set the ”csrftokenl” value at the run when you submit the form.

[code language=”html”]
<script>
function addCsrfToken(formid){
$(‘.csrftoken).val(‘<?php echo $_SESSION[‘CSRFTOKEN’]; ?>’);
$(‘#’+formid).submit();
}
</script>
[/code]

Step#3: Check the csrf token in the respective controller & action for every successful operation.

Let’s take the user’s controller and profile action:

[code language=”html”]
UsersController.php

function profile(){

if($_SESSION[‘CSRFTOKEN’] === “requested token from the form”){ //$this->data[‘csrftoken’];
//perform the rest of the operation here
}else{
//unauthorized access, do not save anything
}
}
[/code]

Over to you, now!

These kind of one-click attacks are quickly becoming the new modes of Cyber attacks. It would be nice if you can share your experiences related to the same at info@andolasoft.com.

Let’s make the web a safer place for everyone!

Tags:
Avatar
admin
amarajyoti.garanayak@andolasoft.co.in
Shares