CODEWITHSUNDEEP
phpformssecuritycsrf
Sandman112
Sandman112

Reputation: 65

csrf ... php form security

I'm creating a site with a number of different access levels, from basic user thru to admin level (5 in total)

manager and admin levels will have the option to add new users at a level equal to or lower than they are, this is done via a drop down box on the createNewUser page, I've already restricted that to only show less than or equal to their own access level ... however ... what I'm trying to stop is this ...

user loads up the site, gets a copy of the form form the source (including the CSRF token) creates a simple HTML form on there desktop modifies the access level settings and they could in effect very easily create an admin level account ...

is there a way to stop this using CSRF ... or should I just rely on the origin to stop it from coming from an 'off server' source

I would also appreciate some tips on best practice when setting up the CSRF for this ...

there are also other forms on the site that have similar functions so I think this needs to be a per form solution

cheers ... ohh and keep it simple if possible :)

Upvotes: 2

Views: 658

Answers (2)

user149341
user149341

Reputation:

is there a way to stop this using CSRF ... or should I just rely on the origin to stop it from coming from an 'off server' source

No, neither approach would work. A user could just as easily inject new values using the web inspector, or by copying a CSRF token from the real page.

CHECK YOUR INPUTS!! If a user tries to add a new user, look at their permissions before letting them proceed. Don't depend on the input form to apply those restrictions.

Applying CSRF checks is still a good idea for other reasons (e.g, to prevent a malicious web site from hijacking an admin's session), but it cannot protect you from an authorized user.

Upvotes: 2

Adnan
Adnan

Reputation: 111

this is what I'm using, i hope it's good solution

on main page i start session and generate session token

session_start();

    if (empty($_SESSION['token'])) {
        $_SESSION['token'] = bin2hex(random_bytes(32));
    }

I'm using bin2hex but you can try other hash methods too.

on login php page add this

if (isset($_POST['Login']) && !empty($_POST['token'])) {
    if (hash_equals($_SESSION['token'], $_POST['token'])) {

    //execute script
    }
}

check if session token started and if matches the html input value.

add this hidden token input to your html form for $_POST['token'] 

<input type="hidden" name="token" value="<?php echo $_SESSION['token'];?>">

Upvotes: 0

Related Questions