I'm developing a website by Zend.
Some people create a html file imitate my login view. Action in form point to my controller to submit.
I don't other login outsite from my websites. So how can I prevent other domains submit form to my controller?
I tried to get request host name of "requester pages" to compare theirs domain with mine, then return error if user login from other sites.
Check the ZF manual for CSRF protection, which is the standard, built-in way to solve this problem.
you could check the refferer if it is in your domain (or empty)
add a hidden input field an generate a token on every display. if the token is wrong, don't continue and redirect them to your login page.
Be sure that every token can only used once, by one user (same session/ip) and only for e.g. 1 hour
EDIT: see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
there would be easiest way to prevent out side users to login into your site
user zend captcha to generate every time new code to login session
you can use below link as reference to use in login page
http://mnshankar.wordpress.com/2010/06/01/zend-form-element-captcha/
Related
I am learning Laravel using "Laravel Code Bright". In the "Form Security" section of this book, it talks about how Laravel generates secret hidden code to prevent "CSRF - Cross Site Request Forgery" when using the Form::Open() method to generate form inputs.
I tried an example to access the route that will process the form using an external form. First I did it without the "before"=>"csrf" filter attached to the route and i got the answer I was expecting, that is the external form was able to access the route.
For the second test, I added the "before"=>"csrf" filter to the route. When i clicked the submit button of the external form, the page kept on loading for a long time and it gave up without showing any results, the page was blank. It means that the "before"=>"csrf" filter prevented this external form from accessing the route.
For my third test, I copied the hidden-token of the original form (by viewing the browser's source code page) and added it to the external form and tried it again and by clicking the submit button this external form gave me the same results as the first test, that is it showed the results meaning that it was able to access the route through the hidden token I added from the original form.
My understanding is that if you add a hidden-token to your forms to prevent "CSRF" and the attacker views the browser's source page and copied the hidden-token and adds it to his form, he can still target your routes, since the hidden-token will always be visible in the browser's view source page.
My question is, is there a better way of preventing "CSRF" even if the attacker copies the hidden-token and adds to his forms?
The external form am using is outside the root folder of Laravel. I also copy the value of the "action" attribute of the original form in order to target the route of the original form. I copy it from the browser's view source page.
Your tests are correct - but your understanding is wrong.
The whole point of CSRF is to prevent a hacker from creating a form on their page that works on your page for another user. They can always copy a form that works for themselves - because they know their own CSRF code - but they can never know another users CSRF code.
Without CSRF:
The way CSRF attacks work is your website has a form to "transfer money". The attacker puts a fake copy of your "transfer money" form on his page.
If User A is logged into your website, and goes to the attackers page, the attacker can trick the user into submitting the "transfer money" form and transfer himself lots of money.
Because User A is logged into your website, the transfer form will work, since they have a valid session. But there is no CSRF check - so the hackers 'copied' form will work for User A.
But with CSRF:
The attacker copies the form from your website - but they dont know the CSRF code for User A. They only know the code for themself. They can basically* never get that code. So when User A submits the 'fake' "transfer money" form on the hacker page - it will fail - since the hacker cannot include the CSRF token since they dont know it.
This is how you protect against CSRF attacks.
I am working with a partner site to embed a form onto my site where users can login to a portal. The portal developer has granted me access to a web-login service in order for me to pass variables from my site to his.
This is the information given How can I make this work in PHP, I have a form with a checkbox, and username and password but don't quite know how to make it pass variables I am not seeing any connection on my end. And I don't know how to set it up where they are redirected to a page on my site when the reset their password any ideas?
I have done this before using a WordPress login and adding it to my main site so I know most of the basics to make it work but what I have applied so far has not worked for me. I guess I need a little nudge in the right direction to get the brain working again.
Thanks in advance.
From the Developer
I am working on a web login service that you could use and have enough done that I can
send you the requirements.
Form Post URL: http://portal.blank.com/services/formlogin.cfm
Form variables:
portallogin - can be any value if present the following form variables are required:
errorurl - URL to be redirected to if an error occured. There will be an "error" url variable present with a human readable error string.
portalurl - (optional) URL to be redirected to if successfully logged in. if not present will be redirected to http://portal.blank.com
username - username of user
password - password of user
agreeterms - can be any value just needs to be present to authenticate
fogotpassword - can be any value if present will lookup password based on email address and password will be emailed
email - email address associated with user
returnurl - URL to be redirected to after running password lookup
An easy method would be to use Snoopy, a PHP class. A harder method (but no less effective) would be to use PHP's cURL functions to post your data to the form. This is assuming you're trying to keep your link to your partner's site hidden from your users.
Alternatively, you could just make a simple HTML form and set the form action to "http://portal.blank.com/services/formlogin.cfm" if you don't care that your users know you're authenticating them against some other site. I'd use https if available.
I need to load the login page of another website (different domain), wait for the user to fill it in and submit it, then read the URL/Location/Querystring for a token parameter to my site and close the login page.
Don't want the username or password, only interested in the returned token (http://www.othersite.com/?token=blahblahblah), which will then be passed as a querystring to a page on my domain (http://www.mydomani.com/loadtoken.php?token=blahblahblah).
Currently, a user has to do this in a separate page, copy and paste the token into my page, since these tokens only have a short life, it's somewhat irritating practice, and if it can be done behind the scenes by the site instead it would make it simpler for everyone.
Reading around on iframes, divs and ajax suggest this is not possible due to security policies, cross site scripting, etc.
Is it possible? What should I be looking for or concentrating on, or can you give some examples.
Thanks for your help.
Edit: Should have said, I understand that it's possible to take the username and password and do a POST behind the scenes, but I really want to avoid making the users give my site their login details to another site, for obvious reasons.
The simplest method is to present the login form on your own site. The form posts to your server, and the handling script then does a CURL request to do its own request to the other server. This sends the login response (which presumably contains that token) to your server.
However, if this token takes the form of a cookie, and the cookie's required for the user to do further operations on their own on this other site, then this won't work. There is absolutely no way for your server to accept the cookie on the user's behalf, then send the cookie to the user in such a way that it appears to have been set by the other server.
The easiest way would be for you to post that form's information to the remote host and have that site send the token to a callback script on your own host.
I need to load the login page of another website (different domain), wait for the user to fill it in and submit it, then read the URL/Location/Querystring for a token parameter to my site and close the login page.
You can't do that
What should I be looking for
OAuth / XAuth (which will require the co-operation of the site you are trying to log in to)
I would like to enable an "auto login" button for my users. By pressing the button the users will be logged in to a different site with the username and password that I have added inside the code.
My site uses php and this site is written on asp.
Is this possible?
Thanks in advance
You'd have to use CURL in PHP in order to send the POST data to your ASP script in the remote site.
Nevertheless, the ASP site might have some inner-validations which can lead to refuse your request, it's worth a try, though!
To set CURL to user POST, check out the setopt CURL function options, you have to set the CURLOPT_POST option to TRUE, but you might find that (depending on the ASP site), you need to activate/deactivate other options.
Cheers!
This depends on the website you're trying to login to.
In a website not using a key-based system for each visitor this can be achieved pretty easily.
First navigate to the page yourself that contains the login form and show it's page source.
Jot down every <input>-tag's name and value and determine which one is the username & password. Also note the form's action to see where the data is going towards.
Now you can use curl to send a user to the website, just inject the post data and apply your own username & password to it.
A. If you don't own the remote site:
Have you tried to post your authentication parameters directly to the ASP.net page? Then you could also try using CURL but either way, be rest assured that the site owner might lock you out anytime by implementing simple CSRF protection.
B. If you own the remote site:
You can share sessions with a unique key using a common database.
I have a login form set up on my domain (eg: www.example.com/login).
When the user enters their login information, I need those details to be passed through a login form on an external website and the user directed to the application that they are logging into.
So to add the user steps to this:
1. User enters login information on www.example.com/login
2. User is directed to and has access to application on www.external.com/application without having to re-enter login details at www.external.com/login
The problem is, I'm not sure how to go about doing this. I found some references to cURL which from what I could gather is the best approach to take.
Any help with this would be appreciated .. I'm a PHP novice! Also ... the application on the external website is ASP.NET (I'm not sure if this has any factor on getting this to work).
Thanks for your help, Mark.
Depending on how your application works, what could work is have your login form on example.com/login point to external.com/application
so your form tag would look like this:
<form action="external.com/application" method="post">
Now your external.com/application will have to be setup to accept the data from the login form. When the form is submitted the browser should direct itself to external.com/application.
This is a possible approach :
On www.example.com/login, do a classic login form which is submitted on itself
On www.example.com/login, when a $_POST is detected :
check that the credentials are good
if yes, store within a table in you db server an hash dedicated to this user (by hashing his id/user/etc... whatever you wish)
redirect to www.external.com/login?hash=the_generated_hash
On www.example.com/verifyHash.php:
create a simple php file that take a hash in $_GET and echo "true" if this hash exists in your db
on www.external.com/login
check that a hash is passed in $_GET
if yes, do a simple $result = file_get_contents("www.example.com/verifyHash.php?hash=$_GET["hash"]");
if the result is true then you can assume that the user has valid credentials.
Of course, you can optimize this whole thing by passing a user id along your hash, by implementing some security when your asking remotly verifyHash, etc...