I have been questioned by my client's security team that our Laravel 5 application is susceptible CSRF vulnerability. We have followed all the standard practice described in Laravel documentation https://laravel.com/docs/5.8/csrf where by we have attached the hidden field _token in our forms.
The security team claims that CSRF attack can happen when the form html is copy and saved as name.html and execute this .html file directly from browser.
Here is the sample form HTML
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="ourapp.dev/profile/update" method="POST">
<input type="hidden" name="_token" value="1heEqemUlHX2vtj2YcgZfq4UGdY07H9rdeRdgtaweE" />
<input type="hidden" name="_method" value="PUT" />
<input type="hidden" name="first_name" value="John" />
<input type="hidden" name="last_name" value="Doe" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
I am not 100% sure if the claim is valid as I don't think the attacker can get the csrf token _token correctly as the token is unique for each user's session.
Can anyone help to comment on this?
Related
I've someone connecting to my system. Form one system when user submits the form, I have to get the value of uesrname in my system.
<form action="user/update" method="POST">
<input type="hidden" name="Username" id="Username" value="fazeela.ma#rapidvaluesolutions.com" />
<input type="submit" value="Submit" />
</form>
Which is using a route in may laravel system.
Route::post('user/update', 'Login\LoginController#test');
But this giving me a token mismatch error.
How do I do that?
That is a CSRF issure and can be resolved by reading this: https://laravel.com/docs/5.4/csrf.
I work with symfony 2.0 and I have a view (test.html.php) that contains a
form:
<form action="" method="post" rel="">
<input type="hidden" name="action" value="test" />
<input name="myinput" type="text" value=""/>
<input type="submit" class="button" value="Go" />
</form>
This form sends the value of myinput to testAction in ActionController (and it works) but I wanna add a validation function with jQuery and/or AJAX to validate the myinput value before sending it to the controller and I don't know where to integrate it exactly
Thank you in advance
You can use HTML5 validations for client side validation.
If there is a website and I want to write a form that logs me in, how can I do it?
This form logs me to stack overflow
<form method="post" action="https://stackoverflow.com/users/login">
<input type="hidden" name="email" value="myemail">
<input type="hidden" name="password" value="mypassword">
<input type="submit">
</form>
I want to do so on this website, but the script doesn't work for some reason.
<form method="post" action="http://forums.heroesofnewerth.com/login.php?do=login/">
<input type="hidden" name="vb_login_username" value="myusr">
<input type="hidden" name="vb_login_password" value="mypass">
<input type="submit">
</form>
Any idea why?
Ok, it worked I had to send more data.
<form method="post" action="http://forums.heroesofnewerth.com/login.php" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<input type="hidden" name="vb_login_username" value="usr">
<input type="hidden" name="vb_login_password" value="pwd">
<input type="hidden" name="do" value="login">
<input type="hidden" name="vb_login_md5password" value="">
<input type="hidden" name="vb_login_md5password_utf" value="">
<input type="hidden" name="s" value="">
<input type="hidden" name="securitytoken" value="guest">
<input type="hidden" name="url" value="http://forums.heroesofnewerth.com/index.php">
<input type="submit">
</form>
A lot of websites on the internet (not nearly enough though) have protection in place that prevents sites other then their own to post forms (log in for example) to their site. A site that does not have this protection is vulnerable to:
Cross Site Request Forgery (CSRF): http://en.wikipedia.org/wiki/Cross-site_request_forgery
This is a major security risk that allows phishing sites to log you in to the actual website while catching your login details and a whole lot of other nasty stuff.
There could also be other protection in place to prevent you from sending a request.
Try to see if there are any API's available instead for what you are trying to achieve.
I have created a page from where users can upload their files. This code snippet send those files to my Amazon S3 bucket.
<form action="https://BUCKET.s3-eu-west-1.amazonaws.com/" method="post" enctype="multipart/form-data">
<input type="hidden" name="awsAccessKey" value="ACCESS_KEY">
<input type="hidden" name="awsSecretKey" value="SECRET_KEY">
<input type="hidden" name="acl" value="private">
<input type="hidden" name="policy" value="POLICY">
<input type="hidden" name="signature" value="SIGNATURE">
<input type="hidden" name="Content-Type" value="">
<!-- Include any additional input fields here -->
File to upload to S3:
<input name="file" type="file">
<br>
<input type="submit" value="Upload File to S3">
</form>
Everything works fine, but I am facing https problems. Main browsers don't trust s3-eu-west-1.amazonaws.com and show security message about untrusted connection.
I changed my the HTTPS connection to HTTP so that my customers don't face any problem. Does someone have any ideas on how to resolve this issue?
Chances are your bucket name has a dot in it. Amazon's S3 wildcard certificates are good for only one level of subdomains, so bucket.s3-eu-west-1.amazonaws.com is fine but bucket.bucket.s3-eu-west-1.amazonaws.com is not. Use this instead:
https://s3-eu-west-1.amazonaws.com/BUCKET/
I have very simple form (the file is called message.php):
<?php
print_r($_POST);
?>
<form method="post" target="_top" action="<?php echo CANVAS_URL;?>message.php">
<input type="text" name="your_name" />
<input type="hidden" name="signed_request" value="<?php echo $_REQUEST['signed_request'];?>" />
<input type="submit" name="send" />
</form>
I found one solution of this issue - put into the form hidden input with the signed_request - I did it but unfortunately I am still facing with this problem -- I cannot retrieve sent POST data.
If I change the method to method="get", everything is working well, but I would need to data from POST.
Could anyone help me, how to solve this problem? Thanks!
Try this. I don't believe you need to use target in FB canvas aps anymore. Also a form ID would be good.
<form method="POST" id="my_form" action="message.php">
<input type="text" name="your_name" />
<input type="hidden" value="<?php print $_POST["signed_request"] ?>" name="signed_request" />
<input type="submit" name="submit" />
</form>
POSTing to Canvas URLs (as in http://apps.facebook.com/namespace) is simply not supported.
But why post to the top window instead of simply staying within the iframe? It's way better as it doesn't require the entire page to be reloaded, only the iframe.