Secure your website using CSRF – PHP

Cross site request forgery (CSRF) is a form of attack where are person sends an unwanted action as if he is a logged in user.

A successful CSRF attack can result in access to unauthorized data, changing passwords of other users and stealing browser cookies or session data.

CSRF attacks are typically conducted by sending an email or message on social media. As the victim is authenticated at that time, the attacker can easily sends a request to get the information, and the server responds as it is being requested by real user.

We will be creating 3 files csrf.php which contains all the login for CSRF protected, form.php which will be using to submit form in a secure way and submit.php which will be receiving and validating the user input.

Start off by starting a session and creating a simple PHP class:

csrf.php

<?php
    session_start();
    class CSRF
    {
    	//
    }
?>

Then, create a method to generate a unique special token for authenticated user:

<?php
    session_start();
    class CSRF
    {
    	public static function create_token()
    	{
    	    // Generating a unique token
    	    $token = md5(time());

    	    // Saving the token in session
    	    $_SESSION["token"] = $token;

    	    // Creating a hidden input field with that unique input
    	    echo "<input type='hidden' name='csrf_token' value='" . $token . "' />";
    	}
    }
?>

Above function will be used to create a token, now create a function to validate the token:

public static function validate_token($token)
{
    //
}

First check if the token exists in session, if not then it is an attempt from attacker:

public static function validate_token($token)
{
    if (!isset($_SESSION["token"]))
    {
        return false;
    }
}

Second, you need to check if the $token matches with the one in the session, if not then it is an attempt from attacker:

if ($_SESSION["token"] != $token)
{
    return false;
}
return true;

At this point, your csrf.php file should be like this:

<?php
    session_start();
    class CSRF
    {
    	public static function create_token()
    	{
    	    // Generating a unique token
    	    $token = md5(time());

    	    // Saving the token in session
    	    $_SESSION["token"] = $token;

    	    // Creating a hidden input field with that unique input
    	    echo "<input type='hidden' name='csrf_token' value='" . $token . "' />";
    	}

    	public static function validate_token($token)
        {
            if (!isset($_SESSION["token"]))
            {
                return false;
            }

            if ($_SESSION["token"] != $token)
            {
                return false;
            }
            return true;
        }
    }
?>

Now in form.php, first you have to include the csrf.php file:

<?php
    require_once "csrf.php";
?>

Then create a simple form and add that csrf_token inside that form:

<form method='POST' action='submit.php'>
    <?php CSRF::create_token(); ?>
</form>

Below this CSRF token line inside the form, you can add all your form fields:

<form method='POST' action='submit.php'>
    <?php CSRF::create_token(); ?>
    <input type="text" name="first_name" placeholder="Enter first name" />
    <input type="submit">
    .......
</form>

When you submit the form, csrf_token field also being sent along with other data. We will be using that field to validate the request. Now, create a 3rd file named submit.php:

submit.php

<?php
    require_once "csrf.php";

    // Validating the request
    if (CSRF::validate_token($_POST["csrf_token"]))
    {
    	echo "Process";
    }
    else
    {
    	echo "Error";
    }
?>

Now, execute the form.php file and try to change the csrf_token field by inspect element, and you will see that it will disallow all unauthenticated requests from any other person.

Leave a Reply

Please disable your adblocker or whitelist this site!