How To Prevent Cross Site Request Forgery – PHP

How To Prevent Cross Site Request Forgery – PHP


Posted On June 19th, 2014 by Sri vathsan. Posted Under PHP, Security




CSRF stands third in the top 5 most important PHP security issues. Most of the sites out there are vulnerable to this CSRF attack. This can be carried out if you got some form submission on your site. So the first part of this post we would be seeing on what is CSRF attack, how it could be carried out and in the next post we would be dealing with the steps that we could take to prevent the attack.

How CSRF is carried out :

So the first step that you need to take in preventing any kind of hack is to learn how that hack works and how an hacker carry out that attack. So now lets see on how a CSRF attack is carried out.
Lets consider that you are having a site that allows your users to enter a list of movies that they’ve seen using a simple form that allows them to enter the name of the movie and their rating of the movie.  Let the form code look something like the following :

<form method = “post” action = “submit.php”>
<input type = “text” name = “movie”>
<input type = “text” name = “rating”>
<input type = “submit”>
</form>

Lets say that your site’s address is yoursite.com. Below is how the attack could be carried out considering this kind of a form.
1. The hacker would create a simple page containing the exact same form. He would change the action of the form that he just created to “yoursite.com/submit.php“. So he is now redirecting the form to the submit.php file which is on your host.

2. The hacker would just fill in the details of the form by himself and the form would look something like this.

<form method = “post” action = “submit.php”>
<input type = “text” name = “movie” value = “Inception”>
<input type = “text” name = “rating” value = “5″>
<input type = “submit”>
</form>

3. The hacker would hide the form and would just trigger the submit button using javascript when someone visits this page.

4. So when a user who is logged in to your site visits this page then the movie Inception would be added to your database with the rating of 5 which the user would not be aware of. And the hacker has successfully completed his attack.

This is not the most basic example. The most basic example of this kind of an attack can be carried out if the developer is using a GET request. The hacker can simply modify the GET parameters and create an URL. He could then make the user to just open the link by some means.

This is just an example. In the same way the hacker could do any stuff. Even Bank Transactions ! Frightening right ? Well no worries. There are solutions for you, the developer, to overcome this issue.

How To Prevent CSRF :

1. Captcha Verifictaion :
 
Well, using captchas is one of the best ways to prevent a CSRF attack and this is the reason why most of the sites have a captcha verification when the user wants to do some sensitive changes to his/her account. But still captchas are not user friendly and a normal user would not understand the significance of a captcha code and would just get frustrated by entering it again and again. So there is another alternative which proves to be much efficient and user friendly.
2. Using Secret Token :
 
This is considered to be the best way to prevent CSRF attacks by most of the developers out there The basic concept is that you are including a hidden field in your form and you are entering a secret token as a value in it. You need to save this token value in a session variable. And in the form submission page all you need to do is to check if the value of the hidden field matches the value in your session variable. If it doesn’t match then that would most probably be a CSRF attack. You can do it like follows.

<!– form.php file –><form method = “post” action = “submit.php”>
<input type = “hidden” value = “secret_token” name = “postsecret”>
…. <!– Rest of your Form goes here –>
</form>
<?php
$_SESSION['secret'] = “secret_token”;
?>

<?php
//submit.php file
if($_SESSION['secret'] != $_POST['postsecret']){
//It’s a CSRF attack
}
else{
//Rest of your code here
}
?>

The only thing that you need to make sure is that if the secret_token is sufficiently hard to guess and it gets regenerated every time the user visits the form.php file.

And so this would be the end of the post and hope this helped you. Safe coding :)


 
 
 


Sri vathsan


A High School graduate. Addicted to Music, Web Design, Blogging, Web Development and Photoshop. Loves CSS a lot. Has 3 years of experience with blogging and 2 years with Web Design and Development.





Leave a Reply