From 61777116a9721be9076b7cf5eb118a4a22fcb119 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Sun, 1 May 2022 18:43:53 +0100 Subject: [PATCH] CSRF Token Upon login, issue the user a CSRF token (in their session). This token should be provided when completing sensitive actions (e.g. deleting companies/clients, changing their password, etc.) Ref: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern --- client_delete_modal.php | 2 +- companies.php | 2 +- functions.php | 14 ++++++++++++++ login.php | 3 +++ post.php | 20 +++++++++++++++++++- settings-user.php | 1 + user_add_modal.php | 1 + user_archive_modal.php | 2 +- user_edit_modal.php | 1 + 9 files changed, 42 insertions(+), 4 deletions(-) diff --git a/client_delete_modal.php b/client_delete_modal.php index df047c83..c3edb244 100644 --- a/client_delete_modal.php +++ b/client_delete_modal.php @@ -22,7 +22,7 @@ - Yes, Delete! + Yes, Delete! diff --git a/companies.php b/companies.php index fb71a6b2..614b7c66 100644 --- a/companies.php +++ b/companies.php @@ -101,7 +101,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
Archive
- Delete + Delete diff --git a/functions.php b/functions.php index 50f6bad0..7e4006f1 100644 --- a/functions.php +++ b/functions.php @@ -405,4 +405,18 @@ function getDomainExpirationDate($name){ return '0000-00-00'; } +// Cross-Site Request Forgery check for sensitive functions +// Validates the CSRF token provided matches the one in the users session +function validateCSRFToken($token){ + if(hash_equals($token, $_SESSION['csrf_token'])){ + return true; + } + else{ + $_SESSION['alert_type'] = "warning"; + $_SESSION['alert_message'] = "CSRF token verification failed. Try again, or log out to refresh your token."; + header("Location: index.php"); + exit(); + } +} + ?> diff --git a/login.php b/login.php index 1567ab4e..3f013a72 100644 --- a/login.php +++ b/login.php @@ -63,6 +63,9 @@ if(isset($_POST['login'])){ $user_name = $row['user_name']; $user_id = $row['user_id']; + // CSRF Token + $_SESSION['csrf_token'] = keygen(); + // Setup encryption session key if (isset($row['user_specific_encryption_ciphertext']) && $row['user_role'] > 1) { $user_encryption_ciphertext = $row['user_specific_encryption_ciphertext']; diff --git a/post.php b/post.php index 8e4c9ebc..d3263fbe 100644 --- a/post.php +++ b/post.php @@ -58,6 +58,9 @@ if(isset($_POST['add_user'])){ exit(); } + // CSRF Check + validateCSRFToken($_POST['csrf_token']); + $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']))); $password = password_hash($_POST['password'], PASSWORD_DEFAULT); @@ -140,6 +143,9 @@ if(isset($_POST['edit_user'])){ exit(); } + // CSRF Check + validateCSRFToken($_POST['csrf_token']); + $user_id = intval($_POST['user_id']); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']))); @@ -238,6 +244,9 @@ if(isset($_POST['edit_profile'])){ exit(); } + // CSRF Check + validateCSRFToken($_POST['csrf_token']); + $user_id = intval($_POST['user_id']); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']))); @@ -375,6 +384,9 @@ if(isset($_GET['archive_user'])){ exit(); } + // CSRF Check + validateCSRFToken($_GET['csrf_token']); + // Variables from GET $user_id = intval($_GET['archive_user']); $password = password_hash(key32gen(), PASSWORD_DEFAULT); @@ -695,6 +707,9 @@ if(isset($_GET['delete_company'])){ exit(); } + // CSRF Check + validateCSRFToken($_GET['csrf_token']); + $company_id = intval($_GET['delete_company']); //Get Company Name @@ -760,7 +775,7 @@ if(isset($_GET['delete_company'])){ $_SESSION['alert_type'] = "danger"; $_SESSION['alert_message'] = "Company $company_name deleted"; - header("Location: logout.php"); + header("Location: post.php?logout"); } @@ -1456,6 +1471,9 @@ if(isset($_GET['delete_client'])){ exit(); } + // CSRF Check + validateCSRFToken($_GET['csrf_token']); + $client_id = intval($_GET['delete_client']); //Get Client Name diff --git a/settings-user.php b/settings-user.php index 695dc40a..147ac6c4 100644 --- a/settings-user.php +++ b/settings-user.php @@ -21,6 +21,7 @@ $sql_recent_logs = mysqli_query($mysqli,"SELECT * FROM logs
+ diff --git a/user_add_modal.php b/user_add_modal.php index 8926cf7e..87ca612f 100644 --- a/user_add_modal.php +++ b/user_add_modal.php @@ -8,6 +8,7 @@
+
diff --git a/user_archive_modal.php b/user_archive_modal.php index cdf34f95..0e7e302d 100644 --- a/user_archive_modal.php +++ b/user_archive_modal.php @@ -8,7 +8,7 @@
Do you really want to archive ? This process cannot be undone.
will no longer be able to login or use ITFlow, but all associated content will remain accessible.
- Yes, archive! + Yes, archive!
diff --git a/user_edit_modal.php b/user_edit_modal.php index c158b4fd..08f5a4a9 100644 --- a/user_edit_modal.php +++ b/user_edit_modal.php @@ -8,6 +8,7 @@ + ">