CSRF-Protector-PHP icon indicating copy to clipboard operation
CSRF-Protector-PHP copied to clipboard

Published 20 hours ago verified publisher icon mebjas

Try to test this on Codeigniter project

Open navotera opened this issue 6 years ago • 10 comments

i try to implement this on my CI project but alwas get those 403 error code.

here my setup.

  1. I already install it on vendor
  2. Put the on the master view of my project /view/layout_master
  3. setup the jsURL absolute path it path is correct since i try to open it on browser

the problem i got are :

  1. i never find any additional tag on my view:source on the browser that created by this library
  2. yes i found the new session named csrfp_token cookies inspector

but still i got the 403 error... i try to put csrfProtector::init() on the controller that receive the request but still nothing got work out.

here my config :

*/ return [ "CSRFP_TOKEN" => "", "logDirectory" => "../log", "failedAuthAction" => [ "GET" => 0, "POST" => 0], "errorRedirectionPage" => "", "customErrorMessage" => "", "jsUrl" => "http://localhost/perpustakaan/assets/js/csrfprotector.js", "tokenLength" => 10, "cookieConfig" => [ "path" => '', "domain" => '', "secure" => false, "expire" => '', ], "disabledJavascriptMessage" => "This site attempts to protect users against <a href=\"https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\"> Cross-Site Request Forgeries </a> attacks. In order to do so, you must have JavaScript enabled in your web browser otherwise this site will fail to work correctly for you. See details of your web browser for how to enable JavaScript.", "verifyGetFor" => [], ];

navotera avatar May 27 '18 02:05 navotera

@navotera Thanks for sharing ample detail around the issue;

i never find any additional tag on my view:source on the browser that created by this library

The work is done by Javascript to attach data as request is sent.

Can you check your network toolbar in developer tools to validate the tokens are going with the request. Also can you tell more about the type of request that is failing if it's normal form submission or ajax call or some file upload or so?

mebjas avatar May 30 '18 21:05 mebjas

  1. This is normal (non-ajax) form POST and not uploading form.
  2. Why i cannot find any javascript embedded on my view. Seems like there's any
  3. this is another question. i Pentest my app with Netsparker, why netsparker say that csrf based session based is not recommended for security.. (sorry i cannot reproduce those recommendation screenshot), I still in learning in pentest but can make comment on this ?

Can you check your network toolbar in developer tools to validate the tokens are going with the request. Also can you tell more about the type of request that is failing if it's normal form submission or ajax call or some file upload or so?

Please tell me how can i check network toolbar in developer tools if it is not ajax request ? I think it would not possible to check the network request in browser if form submit is not ajax, CMIIW.

navotera avatar May 30 '18 23:05 navotera

Can you test this with a very simple CI page and share the source generated with me?

mebjas avatar Jun 01 '18 15:06 mebjas

Here you are bro..... ci-csrf.zip

Hope it would help out

navotera avatar Jun 02 '18 01:06 navotera

I have tested the same in the code igniter. For ajax calls, the tokens are not going along the request? I get 403 forbidden error as a response

kanapuli avatar Jun 26 '18 10:06 kanapuli

Looking into it

mebjas avatar Jun 29 '18 09:06 mebjas

@mebjas I just tested in code igniter again. So I get a csrf token in the initial GET request when the page loads for the first time. My doubt is whether this same initial token will be attached to all XHR and form requests originating from the same page. As far as I have observed, sometimes the same token is attached to the request and sometimes the csrf token is randomized. How does this happen? But the ajax requests are validated and passing.

But the ajax request initiated like the following has failed

var jQuery_1_10 = $.noConflict(true);
jQuery_1_10(document).ready(function() {
    jQuery_1_10('#audit').DataTable( {
                "processing": true,
                "serverSide": true,
                "bFilter": false,
                "bSort": false,
                "bLengthChange": false,
                "iDisplayLength": 50,
                "ajax": {
                    "url"  : site.baseUrl + "/audit_log/get_data",
                    "type" : "POST"
                } 
            } );

        } );

Why so ?

kanapuli avatar Jan 11 '19 06:01 kanapuli

@kanapuliAthavan this library works on a per request token model. Hence, for each request that gets successfully consumed, the token is reset and sent back with cookie header which w.r.t browser is a global entity for a given host name

mebjas avatar Jan 11 '19 17:01 mebjas

@mebjas Any idea on why the above the jquery request fails?

kanapuli avatar Jan 13 '19 14:01 kanapuli

@kanapuliAthavan can you post here the screenshot of this request sent from network debugger? I am interested in headers and the params sent. Feel free to mask any confidential data.

mebjas avatar Jan 15 '19 10:01 mebjas