We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

checkToken() is not enough check value for CSRF Attack?

nise-nabe May '14

Created May '14	Last Reply May '14	Replies 3	Views 2213	Votes 0

nise-nabe 2.3k

checkToken() is not enough check value for CSRF Attack?

checkToken() is true when getToken() was not called on one session

It becomes a true comparison of NULL and NULL between POST data and session data. Could be CSRF vulnerability when using only in checkToken() to input validation.

So, checkToken() should be check whether those value are false like false, '', or array(), I think.

Oleg
8.1k

edited May '14
May '14

Why form is not accepted when I change token in browser,if framework compare NULL and NULL. as you say?

I think, You are loss tread :)

Try check data in form and in session requests GET-POST during.

P.S. All work right on site. In usual form and Ajax form without obstacle.

nise-nabe
2.3k

it becomes true like following code.

class AdminController extends ControllerBase
{
    public function loginAction()
    {
        if ($this->request->isPost()) {
           var_dump($this->security->checkToken());
           exit;
        }
    }

$ curl -X POST https://localhost/admin/login
bool(true)

To check after that getToken() was called, write follow code.

class AdminController extends ControllerBase
{
    public function loginAction()
    {
        if ($this->request->isPost()) {
           var_dump($this->security->checkToken());
           $this->security->getToken();
           var_dump($this->security->checkToken());
           exit;
        }
    }

First, start session. Second, use session the first.

$ curl -X POST https://localhost/admin/login -c test.cookie
bool(true)
bool(false)
$ curl -X POST https://localhost/admin/login -b test.cookie
bool(false)
bool(false)

Oleg
8.1k

Accepted
answer

Yes, you're right. But not completely. When you send Form data, you send token key with it. If you create POST curl request with form data and without token, checkToken work. In this example we expect the token form data with email, password and token CSRF :


    /**
     * @Post("/test")
     */
    public function testAction() {
        $this->view->disable();
        $this->session->set('auth', 'yes');
        if ($this->request->isPost()) {
            echo "Check CSRF :", PHP_EOL; 
           var_dump($this->security->checkToken());
           echo "POST dump :", PHP_EOL;
           var_dump($this->request->getPost());
           echo "Session dump :", PHP_EOL;
           var_dump($_SESSION);
        }
    }

curl -d "[email protected]&password=12345678" https://localhost/admin/test
Check CSRF :
bool(false)
POST dump :
array(2) {
  ["email"]=>
  string(17) "[email protected]"
  ["password"]=>
  string(10) "12345678"
}
Session dump :
array(2) {
  ["privatRsc_started"]=>
  bool(true)
  ["privatRscauth"]=>
  string(3) "yes"
}

and without form data

curl -d "" https://localhost/admin/test
Check CSRF :
bool(true)
POST dump :
array(0) {
}
Session dump :
array(2) {
  ["privatRsc_started"]=>
  bool(true)
  ["privatRscauth"]=>
  string(3) "yes"
}

How dangerous is the query without data?

nise-nabe
2.3k

I understand. It seems to works well when form data was send.

No Problem, Thanks for reply!

nise-nabe
2.3k

Perhaps "Delete" Button is that case?

Dylan Anderson
125.8k

This is a good thread with a good explanation - it could be useful for future people that run into the same problem.