I've someone connecting to my system. Form one system when user submits the form, I have to get the value of uesrname in my system.
<form action="user/update" method="POST">
<input type="hidden" name="Username" id="Username" value="fazeela.ma#rapidvaluesolutions.com" />
<input type="submit" value="Submit" />
</form>
Which is using a route in may laravel system.
Route::post('user/update', 'Login\LoginController#test');
But this giving me a token mismatch error.
How do I do that?
That is a CSRF issure and can be resolved by reading this: https://laravel.com/docs/5.4/csrf.
Related
I have been questioned by my client's security team that our Laravel 5 application is susceptible CSRF vulnerability. We have followed all the standard practice described in Laravel documentation https://laravel.com/docs/5.8/csrf where by we have attached the hidden field _token in our forms.
The security team claims that CSRF attack can happen when the form html is copy and saved as name.html and execute this .html file directly from browser.
Here is the sample form HTML
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="ourapp.dev/profile/update" method="POST">
<input type="hidden" name="_token" value="1heEqemUlHX2vtj2YcgZfq4UGdY07H9rdeRdgtaweE" />
<input type="hidden" name="_method" value="PUT" />
<input type="hidden" name="first_name" value="John" />
<input type="hidden" name="last_name" value="Doe" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
I am not 100% sure if the claim is valid as I don't think the attacker can get the csrf token _token correctly as the token is unique for each user's session.
Can anyone help to comment on this?
I'm learning Laravel 5.3 and I have made a simple login form which goes like this and is saved in the file login.blade.php under the auth directory in resources/views:
<html>
<body>
<form method="post" action="login">
<input type="text" name="email" placeholder="email" size="40"><br>
<input type="password" name="password" placeholder="password" size="40"><br>
<input hidden name="_token" value="{{csrf_token()}}">
<input type="submit" value="Send">
</form>
</body>
</html>
And in web.php I have added this:
Route::post('/login','Auth\LoginController#login');
Route::post('logout','Auth\LoginController#logout');
So it is very simple and clear ,however whenever I try to login with my correct credentials it won't work and stays in the login page.
Here is the print screen of my users table:
enter image description here
Note that db is already connected and there's no need to mention that..
did you hashed the password with bcrypt command?
Indeed, you need to hash your password by using bcrypt() function when using laravel out of the box Authentication and when using Auth: Auth::attempt().
I'm trying to login to a site and from there i want to send a message with the form available there. It looks like
<form method="POST" action="pm.php">
To: <input type="text" name="user" />
<input type="hidden" name="pm_tid" value="ef0gjpmgwag5g21agjg" />
<input type="hidden" name="box" value="new" />
Subject: <input type="text" name="subject" />
message: <textarea name="text"></textarea>
<input type="submit" value="Send" />
</form>
I managed to enter the login and to the page where is the message send form but in that html code you can see that there is a hidden random hash value which changes after every reload. I want to get that correctly and post in the form. Only then my message will be sent. Please don't say that it's IMPOSSIBLE. It is possible. One of my classmate succeeded in it but he is not helping me.
Please try to help me.
This looks like CSRF protection. The usual implementation for this is to store the token in a cookie (or server session if a session token cookie is used) and then compare it to the token in the form.
You need to:
request the HTML document containing the form
store the cookies you get at the same time (assuming that they come with the form)
parse the html to get the token from the input
make the request to pm.php including the token and the cookie
Let's say I have a form that looks like this:
<form action="/script.php" method="post">
<input name="my_input" length="80" />
<input type="submit" value="submit" />
</form>
Now I also want to include a numeric identifier - call it a ticket id. "Here's the ticket history, do you want to add something?" The user can't modify that.
My question is...what is the safest way to get that ticket id in the form submission?
No problem accomplishing it, but my question is around security. So here are the ways to get a variable back that I can think of:
<form action="/script.php" method="post">
<input name="my_input" length="80" />
<input type="hidden" name="ticket_id" value="12345" />
<input type="submit" value="submit" />
</form>
or
<form action="/script.php?ticket_id=12345" method="post">
<input name="my_input" length="80" />
<input type="submit" value="submit" />
</form>
I'm concerned that someone could craft a malicious POST and submit it and append their comments to a different ticket. i.e., compose a POST from their own server/browser/tool. If I was doing this with GET then they certainly could do that just by changing the url vars - it's possible to do that also with POST too, right?
I can check that the user owns that ticket of course and do some other validation, but fundamentally, how do you present data to a user and safely get it back again in an HTML form?
Is there something other than creating a unique serial number ("FORM 12345 should present ticket id 6789") record on the server side and then checking it back?
I'm using PHP & MySQL on the backend though I'm not sure my question is specific to those technologies.
use session
form.php
<?
session_start();
$_SESSION['ticket_id'] = '1234';
?>
script.php
<?
session_start();
$ticket_id = $_SESSION['ticket_id'];
?>
I have very simple form (the file is called message.php):
<?php
print_r($_POST);
?>
<form method="post" target="_top" action="<?php echo CANVAS_URL;?>message.php">
<input type="text" name="your_name" />
<input type="hidden" name="signed_request" value="<?php echo $_REQUEST['signed_request'];?>" />
<input type="submit" name="send" />
</form>
I found one solution of this issue - put into the form hidden input with the signed_request - I did it but unfortunately I am still facing with this problem -- I cannot retrieve sent POST data.
If I change the method to method="get", everything is working well, but I would need to data from POST.
Could anyone help me, how to solve this problem? Thanks!
Try this. I don't believe you need to use target in FB canvas aps anymore. Also a form ID would be good.
<form method="POST" id="my_form" action="message.php">
<input type="text" name="your_name" />
<input type="hidden" value="<?php print $_POST["signed_request"] ?>" name="signed_request" />
<input type="submit" name="submit" />
</form>
POSTing to Canvas URLs (as in http://apps.facebook.com/namespace) is simply not supported.
But why post to the top window instead of simply staying within the iframe? It's way better as it doesn't require the entire page to be reloaded, only the iframe.