Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

checkToken() is not enough check value for CSRF Attack?

checkToken() is not enough check value for CSRF Attack?

  • checkToken() is true when getToken() was not called on one session

It becomes a true comparison of NULL and NULL between POST data and session data. Could be CSRF vulnerability when using only in checkToken() to input validation.

So, checkToken() should be check whether those value are false like false, '', or array(), I think.



7.0k
edited May '14

Why form is not accepted when I change token in browser,if framework compare NULL and NULL. as you say?

I think, You are loss tread :)

Try check data in form and in session requests GET-POST during.

P.S. All work right on site. In usual form and Ajax form without obstacle.



1.1k

it becomes true like following code.

class AdminController extends ControllerBase
{
    public function loginAction()
    {
        if ($this->request->isPost()) {
           var_dump($this->security->checkToken());
           exit;
        }
    }
$ curl -X POST http://localhost/admin/login
bool(true)

To check after that getToken() was called, write follow code.

class AdminController extends ControllerBase
{
    public function loginAction()
    {
        if ($this->request->isPost()) {
           var_dump($this->security->checkToken());
           $this->security->getToken();
           var_dump($this->security->checkToken());
           exit;
        }
    }

First, start session. Second, use session the first.

$ curl -X POST http://localhost/admin/login -c test.cookie
bool(true)
bool(false)
$ curl -X POST http://localhost/admin/login -b test.cookie
bool(false)
bool(false)


7.0k
Accepted
answer

Yes, you're right. But not completely. When you send Form data, you send token key with it. If you create POST curl request with form data and without token, checkToken work. In this example we expect the token form data with email, password and token CSRF :

    /**
     * @Post("/test")
     */
    public function testAction() {
        $this->view->disable();
        $this->session->set('auth', 'yes');
        if ($this->request->isPost()) {
            echo "Check CSRF :", PHP_EOL; 
           var_dump($this->security->checkToken());
           echo "POST dump :", PHP_EOL;
           var_dump($this->request->getPost());
           echo "Session dump :", PHP_EOL;
           var_dump($_SESSION);
        }
    }
curl -d "[email protected]&password=12345678" http://localhost/admin/test
Check CSRF :
bool(false)
POST dump :
array(2) {
  ["email"]=>
  string(17) "[email protected]"
  ["password"]=>
  string(10) "12345678"
}
Session dump :
array(2) {
  ["privatRsc_started"]=>
  bool(true)
  ["privatRscauth"]=>
  string(3) "yes"
}

and without form data

curl -d "" http://localhost/admin/test
Check CSRF :
bool(true)
POST dump :
array(0) {
}
Session dump :
array(2) {
  ["privatRsc_started"]=>
  bool(true)
  ["privatRscauth"]=>
  string(3) "yes"
}

How dangerous is the query without data?



1.1k

I understand. It seems to works well when form data was send.

No Problem, Thanks for reply!



1.1k

Perhaps "Delete" Button is that case?

This is a good thread with a good explanation - it could be useful for future people that run into the same problem.