CakePHP: Cross-Site Request Forgery (CSRF) Test

CakePHP: Cross-Site Request Forgery (CSRF) Test
Social sharing

Cross-site request forgery (CSRF), also known as one-click attack or session riding is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.

Contents

How It Works?

There are various techniques used for CSRF attacks. Let’s take the example of changing an email address of a logged-in user, by using a form with the required fields to change.

Ex:

<form name="myform" action="http://myweb.com/profile" method="POST">
<input name="email" type="text" value="[email protected]" />
<input name="name" type="text" value="john" />
<input type="submit" value="Save"/>
</form>

Here the victim has to submit the form.

Alternately:

<body onload="document.forms[0].submit()">
<form name="myform" action="http://myweb.com/profile" method="POST">
<input  name="email"  type="hidden" value="[email protected]"/>
<input  type="hidden" name="name"  value="john"/>
<input type="submit" value="Save"/>
</form>
</body>

Here, the form gets automatically submitted when loaded in the browser. The attacker can now change the authenticated users of “myweb.com” email address easily.

Note: it is not easy for attackers to use ajax call to perform the above operation since most of the modern browsers have same-origin policy restrictions.

How To Prevent Such Attacks:

Let’s take the same example as above & prevent the CSRF attack.

Here are the Steps to be followed:

Step#1:

Generate a unique token (256 char string) for each session, i.e. for every user login to the system, there should be a unique token associated. Store the token in the session.

if(!isset($_SESSION['CSRFTOKEN'])){
                                                $tokn = $this->Format->genRandomStringCustom(25);
                                                $_SESSION['CSRFTOKEN'] = $tokn;
                                    }

For CakePHP, do this in App Controller.

Step#2:

Add this token to every form while doing any operations such as saving your profile information like email, password, first name or the last name. For this follow the below guidelines:

Take profile.ctp for our example and add the below code to profile.ctp:

Add a hidden field to the form.

Example:

<form  id=”formId” method="POST" action="http://myweb.com/profile">
<input id=”csrftoken” type="hidden"  value=” ” name=”csrftoken"  />
…..
 
<input value="Save" type="button"  onclick=”addCsrfToken(‘formId’)”/>
</form>

Set the ”csrftokenl” value at the run when you submit the form.

<script>
function addCsrfToken(formid){
                        $('.csrftoken).val(‘<?php echo $_SESSION['CSRFTOKEN']; ?>’);
                        $('#'+formid).submit();                       
}
</script>

Step#3:

Check the csrf token in the respective controller & action for every successful operation.

Let’s take the user’s controller and profile action:

UsersController.php
 
function profile(){
 
            if($_SESSION['CSRFTOKEN'] === “requested token from the form”){ //$this->data[‘csrftoken’];
            //perform the rest of the operation here
            }else{
                        //unauthorized access, do not save anything
}
}

Over To You, Now!

These kind of one-click attacks are quickly becoming the new modes of Cyber attacks. It would be nice if you can share your experiences related to the same at [email protected].

Let’s make the web a safer place for everyone!

Summary
CakePHP: Cross-Site Request Forgery (CSRF) Test
Article Name
CakePHP: Cross-Site Request Forgery (CSRF) Test
Description
Cross-site scripting, which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser
Author
Publisher Name
Andolasoft
Publisher Logo

Your recently viewed posts:

    Contact Us

    We’d love to help & work with you




    When do you want to start ?


    Enter your email address to stay up to date with the latest news.
    Holler Box

    Orange Exit pop up

    Subscribe for the latest
    trends in web and
    mobile app development
    Holler Box

    Exit pop up

    Sad to see you leaving early...

    From "Aha" to "Oh shit" we are sharing everything on our journey.
    Enter your email address to stay up to date with the latest news.
    Holler Box