Cross-site request forgeries

By /

When unauthorized commands performs on the behalf of authorized user is called Cross-site request forgeries.

Lets test it

We have a form where we are accepting a email from authenticated user.

Url: https://localhost/csrf_form

<!DOCTYPE HTML>

<html> 

<body>

<?php

$email=$_POST['email'];

echo $email;

?>

</body>

</html>

 

But what if someone else submit a form who is not authenticated ..

Url:https://localhost/csrf_attack

<form action="https://localhost/csrf_form/index.php" method="POST">

    <input type="email" name="email" value="navid@gmail.com">

</form>

<script>

    document.forms[0].submit();

</script>

 

It will redirect to 

https://localhost/csrf_form/index.php

and result will be "navid@gmail.com"

 

This is a very simple CSRF attack.

 

Does Laravel Generates a CSRF token?

Yes Laravel automatically generates a csrf token for each user active session.

This token is regenerated each time new session start.

How can we get this token from Laravel?

There are two ways we can get this token

1.By request’s session

$token=$request->session()->token();

2.By helper class

csrf_token()

 

For form submitting how can you generate a csrf token in blade?

  1. @csrf
  1. <input type="hidden" name="_token" value="{{ csrf_token() }}" />

 

So How actually Laravel verifies the csrf token?

App\Http\Middleware\VerifyCsrfToken will automatically verifies the csrf token requested and the token stored in session are same or not.

Excluding URIs from csrf Protection:

Using protect $except  property provided by Laravel at App/MiddleWare/VarifyCsrfoken we can exclude a URIs.

Protect $except=[

‘http://localhost/admin’,

];

 

X-Csrf-Token:

The VarifyCsrfToken Middleware will also check X-Csrf-Token token in header. We can store the meta in Header.

<meta name=”csrf_token” content=”{{csrf_token()}}”>

Then using jQuery library we can add this token to all request header.

$.ajaxSetup({

Headers:

{

‘X-CSRF-TOKEN’: $(‘meta[name=”csrf_ token”]’.attr(‘content’)

}});

 

Note :Only web application’s VerifyCsrfToken (CSRF ) is enabled. If Laravel used as API(REST API), Laravel will not run this middleware as we can see in the App\Http\Kernel class.

X-XSRF-TOKEN:

Angular and Axios , automatically place its cookie value in the X-XSRF-TOKEN header.

Form cookie we can get this cookie

dd($request->header('cookie'));

Result:

XSRF-TOKEN=eyJpdiI6IjgxcjR2R1o1NlVzdVIva09tVUo5cHc9PSIsInZhbHVlIjoiRWpIOTE4SUN6ck03WFUrOE1va2JTWXgvd1pBNFdWcUplNG9kZ05CekVnMnVQZXdueHFxYld6bGZTb0RoVE1ZUW5qNkVtM2Q5SkxsaWczQTBlRnJvRjdqSkxBSUVuQTJtenBTbDVIT2kvdmJnNUFmcEZjbE5ndXovWndyL2o3NjEiLCJtYWMiOiIxOTJkMzViMTA0OTBhYjVmMzQ0MmRjNTgzZjgyMTcwNzJhNDlmOWU5MjlkMDBiM2UyNWNiNDU5Nzc3YzIwZTVmIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6InZKV2c3NExMdEY0bVBPa29UbG9Rb1E9PSIsInZhbHVlIjoiM3p2STdUclV0c05SdDl1Y2dNcElCaDFrdzlmalJlOVAwUFB2TlloMmdBNGxkbVk3anNyUXlZbDRVcktTVGoxMHZKcmZ0Rk4zNjBKaW51d1YraXhXS0VGc2h5VGJ4ZVBYR2FjN0svR2tIOW41YVg3Qk93WDEzUGJBQ3VsaHlMdHQiLCJtYWMiOiJmMmJhYzY0ZDhmMzhjMmRmOWQyYmFiY2FlNmQ2ZTlmYjI2NDlkYjAxNTE3ZTQ4YzNhZTY0ZTRhYmY1MWUyNmFiIiwidGFnIjoiIn0%3D

 

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top