--=[ WHAT IT IS ]=--Well, before I get into details about how to prevent CSRF, lets explain what it is exactly. Cross Site Request Forgery (also known as XSRF, CSRF, and Cross Site Reference Forgery) works by exploiting the trust that a site has for the user. Site tasks are usually linked to specific urls (Example: http://site/stocks?buy=100&stock=ebay) allowing specific actions to be performed when requested. If a user is logged into the site and an attacker tricks their browser into making a request to one of these task urls, then the task is performed and logged as the logged in user. Typically an attacker will embed malicious HTML or JavaScript code into an email or website to request a specific 'task url' which executes without the users knowledge, either directly or by utilizing a Cross-site Scripting Flaw. Injection via light markup languages such as BBCode is also entirely possible. These sorts of attacks are fairly difficult to detect potentially leaving a user debating with the website/company as to whether or not the stocks bought the day before was initiated by the user after the price plummeted.
Now, of course processing a form is also very possible through CSRF; in this example an attacker can create a form in which contains the same input names as the one specified in the web page he is attacking (Example: <input type="text" name="shout" />), he may also create an auto-submitting form in JavaScript to leave the user unaware that any POST has taken place.
--=[ TOKENS ]=--
In this tutorial I'm going to explain how to create a token, and how to have forms sanitized before posting. This coding uses my user system and is very easy to modify.
Step 1.
Insert this coding after every <form method="POST"> in all your echo() functions, assuming the form is important. Code:
[code=php]<input type="hidden" name="token" value="".$_SESSION['token']."" /> [/code]
Step 2.
Inject this code in to your config file, comments have been included.
Code:
[code=php]if (isset($_USER['id'])) { // your function to check if a user is logged in
if (empty($_SESSION['token']) || !isset($_SESSION['token'])) { // if there is no token set
$_SESSION['token'] = strrev(md5($_USER['password'])); //set a token with a reverse string and md5 encryption of the user's password
}
if (CSRF_PROTECTED != false) { // if you did not define CSRF_PROTECTED as false
if ($_POST) { // if there is a form present
if ($_POST['token'] != $_SESSION['token']) { // if the input token does not equal the session token
header("Location: /index.php"); // redirect to index
die(); // stops all $_POST data from being sent
}
}
}
} [/code]
Step 3.
For every page a logged in user is allowed to access that you do not wish to have CSRF protection on, put this code before all your includes of major config files: [code=php]define("CSRF_PROTECTED", false);[/code]
--=[ CONCLUSION ]=--
This wraps up the tutorial, hope this has taught you something of moral value =].