Preventing CSRF (Cross-Site Request Forgery) Attack in PHP Tutorial

Submitted by oretnom23 on Friday, March 31, 2023 - 13:31.

In this tutorial, you can learn to prevent your site from CSRF or Cross-site Request Forgery Attacks using PHP Language. The tutorial aims to provide students and beginners with a reference for learning to build a secure web application using PHP Language for the server-side script. Here, I will be providing a simple web page script that demonstrates the main Idea for preventing the site from CSRF Attacks.

What is CSRF Attack?

The CSRF or Cross-site Request Forgery is a type of attack that involves a hacker compelling you to take action against a website you are currently logged in to. Failure of protecting the site from CSRF attacks gives an attacker the ability to partially get around the same origin policy, which is meant to stop various websites from interfering with one another. An attacker can cause your client to carry out an unintentional action.

How to Prevent CSRF Attacks in PHP?

We can prevent the CSRF Attack by implementing a CSRF Token validation. The CSRF Token is a generated random token that will be used for validating the form data or the request was exactly submitted from the right form page of the client side. We can set up also the CSRF Token that regenerates every time the form page loads to make it more secure and we can also add an expiration so that the attackers will only have a limited and short time to bypass it. Check out the sample web page that I created and provided below to have a better idea of how you can prevent your site from CSRF Attach using PHP.

Sample Web Page

The scripts below result in a simple web application that contains a sample form that requires the user's basic information and contacts. The form data contains a generated CSRF Token to allow the server API to validate the request. The application also has a sample file script that simulates form requests without the CSRF Token.

Form Page Interface

Here is the PHP file script named index.php. It contains a combined PHP and HTML code which are the PHP Generated CSRF Token stored in SESSION Global Variable and the page/form layout elements.

  1. <?php 
  2. session_start();
  3. if(isset($_SESSION['csrf_token']['sample-form']))
  4. 	unset($_SESSION['csrf_token']['sample-form']);
  5. $_SESSION['csrf_token']['sample-form']['token'] = password_hash(uniqid(mt_rand(), true),PASSWORD_DEFAULT);
  6. $_SESSION['csrf_token']['sample-form']['expiry'] = time() + 3600 ;
  7. ?>
  8. <!DOCTYPE html>
  9. <html lang="en">
  10. <head>
  11. 	<meta charset="UTF-8">
  12. 	<meta http-equiv="X-UA-Compatible" content="IE=edge">
  13. 	<meta name="viewport" content="width=device-width, initial-scale=1.0">
  14. 	<title>CSRF Token Protection in PHP</title>
  15. 	<link rel="preconnect" href="https://fonts.googleapis.com">
  16. 	<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
  17. 	<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Material+Symbols+Outlined:opsz,wght,FILL,GRAD@48,400,0,0" />
  18. 	<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css">
  19. 	<link rel="stylesheet" href="style.css">
  20. 	<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js"></script>
  21. </head>
  22. <body>
  23. 	<div class="content-md-lg py-3">
  24. 		<div class="col-lg-8 col-md-10 col-sm-12 col-12 mx-auto">
  25. 			<div class="page-title">CSRF Token Protection in PHP</div>
  26. 			<hr style="margin:auto; width:25px" class="border-light opacity-100">
  27. 		</div>
  28. 		<div class="container-lg">
  29. 			<div class="row py-3 my-5">
  30. 				<div class="col-lg-5 col-md-5 col-sm-10 col-12 mx-auto">
  31. 					<!-- Sample Web Form -->
  32. 					<div class="card rounded-0">
  33. 						<div class="card-header rounded-0">
  34. 							<div class="card-title fw-bold">Sample Web Form</div>
  35. 						</div>
  36. 						<div class="card-body rounded-0 py-2">
  37. 							<div class="container-fluid">
  38. 								<form action="api.php" method="POST">
  39. 									<input type="hidden" name="token" value="<?= $_SESSION['csrf_token']['sample-form']['token'] ?>">
  40. 									<div class="mb-3">
  41. 										<label for="fullname" class="form-label">Fullname</label>
  42. 										<input type="text" id="fullname" name="fullname" class="form-control rounded-0" required="required">
  43. 									</div>
  44. 									<div class="mb-3">
  45. 										<label for="email" class="form-label">Email</label>
  46. 										<input type="email" id="email" name="email" class="form-control rounded-0" required="required">
  47. 									</div>
  48. 									<div class="mb-3">
  49. 										<label for="phone" class="form-label">Phone</label>
  50. 										<input type="text" id="phone" name="phone" class="form-control rounded-0" required="required">
  51. 									</div>
  52. 									<div class="mb-3">
  53. 										<div class="mx-auto col-lg-6 col-md-8 col-sm-12">
  54. 											<button class="btn btn-sm rounded-pill btn-primary w-100">Submit</button>
  55. 										</div>
  56. 										<div class="mx-auto col-lg-6 col-md-8 col-sm-12 text-center">
  57. 											<a href="./insecure-request.php" target="_blank">Simulate Attacker Request</a>
  58. 										</div>
  59. 									</div>
  60. 								</form>
  61. 							</div>
  62. 						</div>
  63. 					</div>
  64. 					<!-- Sample Web Form -->
  65. 				</div>
  66. 			</div>
  67. 		</div>
  68. 	</div>
  69. 	<footer class="footer py-2 position-fixed bg-black text-light bottom-0 w-100">
  70. 		<div class="text-center"><b>This tutorial program is developed by:</b></div>
  71. 		<div class="text-center"><a href="mailto:[email protected]"><b>[email protected]</b></a></div>
  72. 	</footer>
  73. </body>
  74. </html>

API

Here is the PHP file script known as api.php. It is the file script where the form data is being processed or action is being made. The script contains the security check validation with 3 levels. The first level is for checking if there's a valid CSRF token. The second level checks if the request token matches the valid token, and the last level check if the token is already expired.

  1. <?php 
  2. session_start();
  3. //First Level Security Check
  4. if(isset($_SESSION['csrf_token']['sample-form'])){
  5. 	//First Level Security Check is Validated
  6.  
  7. 	// Valid Token Data
  8. 	$valid_token = $_SESSION['csrf_token']['sample-form']['token'];
  9. 	$token_expiry = $_SESSION['csrf_token']['sample-form']['expiry'];
  10.  
  11. 	// POST Data
  12. 	$token = $_POST['token'];
  13.  
  14. 	// Escape Form Fields Value
  15. 	$fullname = htmlspecialchars($_POST['fullname']);
  16. 	$email = htmlspecialchars($_POST['email']);
  17. 	$phone = htmlspecialchars($_POST['phone']);
  18.  
  19. 	//Second Level Security Check
  20. 	if($token === $valid_token){
  21. 		// Second Level Security Check Validated
  22.  
  23. 		//Third Level Security Check
  24. 		if(time() < $token_expiry){
  25. 			// Third Level Security Check Validated
  26. 			print("<h1>Request has passed the validation.</h1>");
  27. 			print("<h3>Submitted Data</h2>");
  28. 			print("<div><b>Fullname</b>: ${fullname}<div>");
  29. 			print("<div><b>Email</b>: ${email}<div>");
  30. 			print("<div><b>Phone</b>: ${phone}<div>");
  31. 		}else{
  32. 			// Failed in Third Level Security
  33. 			print_r("Third Level Security Check Failed: Token has expired. Kindly refresh the form page and retry your submission.");
  34. 		}
  35. 	}else{
  36. 		// Failed in Second Level Security
  37. 		print_r("Second Level Security Check Failed: Server does not allow you to proceed to the process/action.");
  38. 	}
  39. }else{
  40. 	// Failed in First Level Security
  41. 	print_r("First Level Security Check Failed: Server does not allow you to proceed to the process/action.");
  42. }
  43.  
  44. print("<br/><a href='./'>Back to Form Page</a>");
  45. ?>

Sample Bypass Script

Here is an example PHP file script known as insecure-request.php. It contains the sample script that bypasses the form request without CSRF Token.

  1. <?php
  2. $ch = curl_init();
  3.  
  4. curl_setopt($ch, CURLOPT_URL,"http://localhost/php-csrf-protection/api.php");
  5. curl_setopt($ch, CURLOPT_POST, 1);
  6. curl_setopt($ch, CURLOPT_POSTFIELDS,
  7. 			"fullname=Malicious Value&email=Malicious Value&phone=Malicious Value");
  8. curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  9. $output = curl_exec($ch);
  10. curl_close($ch);
  11. echo($output);
  12. ?>

Snapshots

Here are some of the web page snapshots as the overall result of the scripts I provided above.

Form Page Interface

Preventing CSRF Attack in PHP

Secure Request-Response Message

Preventing CSRF Attack in PHP

Insecure Request-Response Message

Preventing CSRF Attack in PHP

Invalid CSRF Token

Preventing CSRF Attack in PHP

Expired CSRF Token

Preventing CSRF Attack in PHP

DEMO VIDEO

There you go! I have also provided the complete source code zip file of the scripts that I provided above on this site and it is free to download. You can download it by clicking the download button located below this tutorial's content. Feel free to download and modify it to do some experiments.

That's it! I hope Preventing CSRF (Cross-Site Request Forgery) Attack in PHP Tutorial will help you with what you are looking for and will be useful for your current and future PHP Projects.

Explore more on this website for more Tutorials and Free Source Codes.

Happy Coding =)

Tags

Comments

Submitted byoleteacheron Sat, 04/01/2023 - 03:19

Very good information. Thank you for sharing the examples, they make understanding process very simple.

Constructive criticism: the collapsed code areas (syntax highlighting) make page compact but very, very hard to use. Maybe you should try setting for full length?

Cheers and please keep the tutorials flowing:)

Add new comment

About text formats