gilbitron / easycsrf Goto Github PK

It looks like this library was intentionally created to be insecure.

1. Type juggling

function referralHash()
{
    return sha1('192.168.0.1' . 'aMozilla Firefox');
}

function randomString()
{
    return sha1(random_bytes(32));
}

$time = time();
$token = $time . referralHash() . randomString(32);
echo $time, PHP_EOL;
echo $token, PHP_EOL;
var_dump($time == $token);

till the PHP 8.0 123 == '123abc'
that's why it's critical to have === here

2. mt_rand does not generate cryptographically secure values. Given two mt_rand() output values separated by 226 others, it is possible to compute, without any bruteforce, the original seed, and therefore obtain any previous or subsequent mt_rand() output, effectively breaking the PRNG
   Consider reworking randomString() to somethiing like:

protected function randomString(): string
{
    return sha1(random_bytes(32));
}

3. (Just a question)What is the purpose of referralHash()? In CSRF attacks all the requests come from the legitimate user so randomString() + referralHash() is as much secure as randomString()

can't i allow the system randomly generate tokens?
and how should my_token be?

Deprecated: Array and string offset access syntax with curly braces is deprecated in vendor/gilbitron/easycsrf/src/EasyCSRF.php on line 84

This line uses curly braces to access the array:
$string .= $seed{intval(mt_rand(0.0, $max))};
It should be:
$string .= $seed[intval(mt_rand(0.0, $max))];

Edit: My bad, this is already fixed but not live yet. It is in this pull request:
#4

One issue I see from time to time with organization users (e.g. a university or hospital Wi-Fi) is a changing IP address for users as they browse and load pages. The whole IP doesn't change, just the last group of 3 digits as that's the IP range assigned to the organization. For example, as a user browses their IP changes from 111.222.333.444 to 111.222.333.555 to 111.222.333.666, etc. This behavior causes the CSRF validation to fail, since the codes are based on $_SERVER['REMOTE_ADDR'] (see EasyCSRF.php function referralHash).

It would be helpful to be able to use a partial user ip from $_SERVER['REMOTE_ADDR'], rather than the whole ip, for these use cases.

CSRF token is generated for every request, makes it unable to verify when multiple tabs are opened.

easyCSRF is reporting 'missing CSRF session token'.

I've called $easyCSRF->generate( 'my_token' ) and the value has been output to my html:

<form method="post" ation="/new"> <input type="hidden" name="nonce" value="MTU1MzIwMzkwODNmNzIwNTU1Mzg0Nzk2NjNkZDNkNTk4MjM3OGM0YjE4YzIxZWE5N2N6NDg5cWVyaGFUcVozY1B1TjJEdllLMncwYUdpTENudw==">

When the form is posted, echo'ing $_POST['nonce'] outputs:

MTU1MzIwMzkwODNmNzIwNTU1Mzg0Nzk2NjNkZDNkNTk4MjM3OGM0YjE4YzIxZWE5N2N6NDg5cWVyaGFUcVozY1B1TjJEdllLMncwYUdpTENudw==

Immediatly after echoing, I call:

try { $this->easyCSRF->check('my_token', $_POST['nonce']); } catch(Exception $e) { echo $e->getMessage(); }

and in the browser I get: Missing CSRF session token.

Any advice or suggestions ? Thanks