├── .coveralls.yml
├── .github
└── ISSUE_TEMPLATE
│ ├── bug_report.md
│ ├── custom.md
│ └── feature_request.md
├── .gitignore
├── .travis.yml
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── composer.json
├── docs
├── files
│ └── libs
│ │ └── csrf
│ │ └── csrfprotector-php.html
├── index.html
├── index
│ ├── Files.html
│ ├── Functions.html
│ ├── General.html
│ └── Variables.html
├── javascript
│ ├── main.js
│ ├── prettify.js
│ └── searchdata.js
├── search
│ ├── FilesC.html
│ ├── FunctionsA.html
│ ├── FunctionsC.html
│ ├── FunctionsF.html
│ ├── FunctionsG.html
│ ├── FunctionsI.html
│ ├── FunctionsL.html
│ ├── FunctionsO.html
│ ├── FunctionsR.html
│ ├── FunctionsU.html
│ ├── GeneralA.html
│ ├── GeneralC.html
│ ├── GeneralF.html
│ ├── GeneralG.html
│ ├── GeneralI.html
│ ├── GeneralL.html
│ ├── GeneralO.html
│ ├── GeneralR.html
│ ├── GeneralU.html
│ ├── GeneralV.html
│ ├── NoResults.html
│ ├── VariablesC.html
│ ├── VariablesI.html
│ └── VariablesR.html
└── styles
│ └── main.css
├── js
├── README.md
├── csrfprotector.js
└── index.php
├── libs
├── README.md
├── config.sample.php
├── csrf
│ ├── LoggerInterface.php
│ ├── README.md
│ ├── csrfpAction.php
│ ├── csrfpCookieConfig.php
│ ├── csrfpDefaultLogger.php
│ ├── csrfprotector.php
│ └── index.php
└── index.php
├── licence.md
├── phpunit.xml.dist
├── readme.md
└── test
├── config.test.php
├── config.testInit_incompleteConfigurationException.php
├── config.testInit_withoutInjectedCSRFGuardScript.php
├── csrfprotector_test.php
├── csrfprotector_test_customlogger.php
├── fakeLogger.php
└── testHelpers.php
/.coveralls.yml:
--------------------------------------------------------------------------------
1 | service_name: travis-ci
2 | src_dir: ./libs/
3 | coverage_clover: build/logs/clover.xml
4 | json_path: build/logs/coveralls-upload.json
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Bug report
3 | about: Create a report to help us improve
4 | title: ''
5 | labels: bug, repro needed
6 | assignees: ''
7 |
8 | ---
9 |
10 | **Describe the bug**
11 | A clear and concise description of what the bug is.
12 |
13 | **To Reproduce**
14 | Steps to reproduce the behavior
15 |
16 | **Expected behavior**
17 | A clear and concise description of what you expected to happen.
18 |
19 | **Screenshots (Optional)**
20 | If applicable, add screenshots to help explain your problem.
21 |
22 | ** Error logs (Optional) **
23 | If applicable, Share error logs
24 |
25 | **Additional context**
26 | - PHP Version (example: php 5.6)
27 | - Framework, if applicable
28 | - Browser
29 |
30 | Add any other context about the problem here.
31 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/custom.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Custom issue template
3 | about: Describe this issue template's purpose here.
4 | title: ''
5 | labels: ''
6 | assignees: ''
7 |
8 | ---
9 |
10 |
11 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature request
3 | about: Suggest an idea for this project
4 | title: ''
5 | labels: ''
6 | assignees: ''
7 |
8 | ---
9 |
10 | **Is your feature request related to a problem? Please describe.**
11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
12 |
13 | **Describe the solution you'd like**
14 | A clear and concise description of what you want to happen.
15 |
16 | **Describe alternatives you've considered**
17 | A clear and concise description of any alternative solutions or features you've considered.
18 |
19 | **Additional context**
20 | Add any other context or screenshots about the feature request here.
21 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | phpunit.phar
2 | coveralls.phar
3 |
4 | coverage/
5 | vendor/
6 | build/
7 | log/*.log
8 |
9 | .DS_Store
--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: php
2 | php:
3 | - "5.6"
4 | - "5.5"
5 | - "5.4"
6 | - "7.0"
7 | - "7.1"
8 | - hhvm
9 | - nightly
10 | - "5.3"
11 |
12 |
13 | matrix:
14 | allow_failures:
15 | - php: nightly
16 | - php: hhvm
17 | - php: "5.3"
18 |
19 | os:
20 | - linux
21 |
22 | dist: trusty
23 |
24 | install:
25 | # Install composer packages, will also trigger dump-autoload
26 | - composer install --no-interaction
27 | # Install coveralls.phar
28 | - wget -c -nc --retry-connrefused --tries=0 https://github.com/satooshi/php-coveralls/releases/download/v1.0.1/coveralls.phar
29 | - chmod +x coveralls.phar
30 | - php coveralls.phar --version
31 |
32 | before_script:
33 | - mkdir -p build/logs
34 | - ls -al
35 |
36 | script:
37 | - mkdir -p build/logs
38 | - if [ $(phpenv version-name) = 'hhvm' ]; then echo 'xdebug.enable=1' >> /etc/hhvm/php.ini; fi
39 | - phpunit --stderr --coverage-clover build/logs/clover.xml
40 |
41 | after_script:
42 | - php vendor/bin/coveralls -v
43 |
44 | after_success:
45 | - travis_retry php coveralls.phar -v
46 |
47 | cache:
48 | directories:
49 | - vendor
50 | - $HOME/.cache/composer
51 |
--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | # Contributor Covenant Code of Conduct
2 |
3 | ## Our Pledge
4 |
5 | In the interest of fostering an open and welcoming environment, we as
6 | contributors and maintainers pledge to making participation in our project and
7 | our community a harassment-free experience for everyone, regardless of age, body
8 | size, disability, ethnicity, sex characteristics, gender identity and expression,
9 | level of experience, education, socio-economic status, nationality, personal
10 | appearance, race, religion, or sexual identity and orientation.
11 |
12 | ## Our Standards
13 |
14 | Examples of behavior that contributes to creating a positive environment
15 | include:
16 |
17 | * Using welcoming and inclusive language
18 | * Being respectful of differing viewpoints and experiences
19 | * Gracefully accepting constructive criticism
20 | * Focusing on what is best for the community
21 | * Showing empathy towards other community members
22 |
23 | Examples of unacceptable behavior by participants include:
24 |
25 | * The use of sexualized language or imagery and unwelcome sexual attention or
26 | advances
27 | * Trolling, insulting/derogatory comments, and personal or political attacks
28 | * Public or private harassment
29 | * Publishing others' private information, such as a physical or electronic
30 | address, without explicit permission
31 | * Other conduct which could reasonably be considered inappropriate in a
32 | professional setting
33 |
34 | ## Our Responsibilities
35 |
36 | Project maintainers are responsible for clarifying the standards of acceptable
37 | behavior and are expected to take appropriate and fair corrective action in
38 | response to any instances of unacceptable behavior.
39 |
40 | Project maintainers have the right and responsibility to remove, edit, or
41 | reject comments, commits, code, wiki edits, issues, and other contributions
42 | that are not aligned to this Code of Conduct, or to ban temporarily or
43 | permanently any contributor for other behaviors that they deem inappropriate,
44 | threatening, offensive, or harmful.
45 |
46 | ## Scope
47 |
48 | This Code of Conduct applies both within project spaces and in public spaces
49 | when an individual is representing the project or its community. Examples of
50 | representing a project or community include using an official project e-mail
51 | address, posting via an official social media account, or acting as an appointed
52 | representative at an online or offline event. Representation of a project may be
53 | further defined and clarified by project maintainers.
54 |
55 | ## Enforcement
56 |
57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be
58 | reported by contacting the project team at minhazav@gmail.com. All
59 | complaints will be reviewed and investigated and will result in a response that
60 | is deemed necessary and appropriate to the circumstances. The project team is
61 | obligated to maintain confidentiality with regard to the reporter of an incident.
62 | Further details of specific enforcement policies may be posted separately.
63 |
64 | Project maintainers who do not follow or enforce the Code of Conduct in good
65 | faith may face temporary or permanent repercussions as determined by other
66 | members of the project's leadership.
67 |
68 | ## Attribution
69 |
70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
72 |
73 | [homepage]: https://www.contributor-covenant.org
74 |
75 | For answers to common questions about this code of conduct, see
76 | https://www.contributor-covenant.org/faq
77 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing to OWASP CSRF Protector PHP
2 | CSRF Protector is a community project, and we are always delighted to welcome new contributors!
3 |
4 | There are lots of ways you can contribute:
5 |
6 | ## Got a Question or Problem?
7 | If you have a question or problem relating to using this project then the first thing to do is to check:
8 | - **Project Wiki**: We have a comprehensive User Guide for CSRF Protector in our [Github Wiki](https://github.com/mebjas/CSRF-Protector-PHP/wiki).
9 | - **OWASP Wiki**: We have more information about the project and sibling projects at [https://www2.owasp.org/www-project-csrfprotector/](https://www2.owasp.org/www-project-csrfprotector/).
10 | - **Articles online**: We have some articles online on how to use or new features introduced like:
11 | - [CSRF Protector - concept design & future](https://blog.minhazav.dev/CSRF-Protector-concept-design-and-future/)
12 | - [Session based login compatibility issues with CSRF - how to mitigate](https://blog.minhazav.dev/logging-out-and-then-logging-in-throws-403-error-with-csrf-protector/)
13 | - [Minor improvements to CSRF Protector PHP](https://blog.minhazav.dev/introducing-minor-improvements-to-csrf-protector-php/)
14 | - **Google groups**: If they don't help then please ask on the [User Group](https://groups.google.com/a/owasp.org/forum/#!forum/csrfprotector-project)
15 |
16 | ## Found an Issue?
17 | If you have found a bug then raise an issue on the CSRF Protector repo: [https://github.com/mebjas/CSRF-Protector-PHP/issues](https://github.com/mebjas/CSRF-Protector-PHP/issues)
18 |
19 | Its worth checking to see if its already been reported, and including as much information as you can to help us diagnose your problem.
20 |
21 | ## Found a Vulnerability?
22 | If you think you have found a vulnerability in CSRF Protector then please report it directly on email at [minhazav@gmail.com](mailto:https://github.com/mebjas/CSRF-Protector-PHP/issues) or [minhaz@owasp.org](mailto: minhaz@owasp.org)
23 |
24 | We are always very grateful to researchers who report vulnerabilities responsibly and will be very happy to give credit for the valuable assistance they provide.
25 |
26 | ## Have a Feature Request?
27 | If you have a suggestion for new functionality then you can raise an issue on the CSRF Protector PHP repo: [https://github.com/mebjas/CSRF-Protector-PHP/issues](https://github.com/mebjas/CSRF-Protector-PHP/issues)
28 |
29 | Its worth checking to see if its already been requested, and including as much information as you can so that we can fully understand your requirements.
30 |
31 | ## Become a CSRF Protector Evangelist
32 | Please feel free to write more about this project on how it works or how to use it. Please feel free to send a [pull request](https://github.com/mebjas/CSRF-Protector-PHP/pulls) by adding a reference to your article in the `README.md` or `CONTRIBUTING.md`.
33 |
34 | ## Help Improve the Documentation
35 | The source for the CSRF Protector OWASP wiki [User Guide is hosted at OWASP/www-project-csrfprotector](https://github.com/OWASP/www-project-csrfprotector) and is hosted at [https://www2.owasp.org/www-project-csrfprotector/](https://www2.owasp.org/www-project-csrfprotector/). Please feel free to send a [pull request](https://github.com/OWASP/www-project-csrfprotector/pulls) to add updates to the documentation.
36 |
37 | ## Coding
38 |
39 | There's always lots of coding to be done! If you feel something can be improved feel free to send a pull request.
40 |
--------------------------------------------------------------------------------
/composer.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "owasp/csrf-protector-php",
3 | "type": "library",
4 | "description": "CSRF protector php, a standalone php library for csrf mitigation in web applications. Easy to integrate in any php web app.",
5 | "keywords": ["security","csrf", "owasp"],
6 | "homepage": "https://github.com/mebjas/CSRF-Protector-PHP",
7 | "license": "Apache-2.0",
8 | "require-dev": {
9 | "satooshi/php-coveralls": "~1.0"
10 | },
11 | "autoload": {
12 | "classmap": ["libs/csrf/"]
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/docs/files/libs/csrf/csrfprotector-php.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
config file for CSRFProtector @var int Array, length = 6 Property: #1: failedAuthAction (int) => action to be taken in case autherisation fails Property: #2: logDirectory (string) => directory in which log will be saved Property: #3: customErrorMessage (string) => custom error message to be sent in case of failed authentication Property: #4: jsFile (string) => location of the CSRFProtector js file Property: #5: tokenLength (int) => default length of hash Property: #6: disabledJavascriptMessage (string) => error message if client’s js is disabled
Function to check if a url mataches for any urls Listed in config file
15 |
16 |
Variables
17 |
18 |
$cookieExpiryTime
public static $cookieExpiryTime
expiry time for cookie @var int
19 |
20 |
$isSameOrigin
private static $isSameOrigin
flag for cross origin/same origin request @var bool
21 |
22 |
$isValidHTML
private static $isValidHTML
flag to check if output file is a valid HTML or not @var bool
23 |
24 |
$requestType
protected static $requestType
Varaible to store weather request type is post or get @var string
25 |
26 |
$config
public static $config
config file for CSRFProtector @var int Array, length = 6 Property: #1: failedAuthAction (int) => action to be taken in case autherisation fails Property: #2: logDirectory (string) => directory in which log will be saved Property: #3: customErrorMessage (string) => custom error message to be sent in case of failed authentication Property: #4: jsFile (string) => location of the CSRFProtector js file Property: #5: tokenLength (int) => default length of hash Property: #6: disabledJavascriptMessage (string) => error message if client’s js is disabled
27 |
28 |
Functions
29 |
30 |
init
public static function init(
$length
=
null,
$action
=
null
)
function to initialise the csrfProtector work flow
Parameters
$length
length of CSRF_AUTH_TOKEN to be generated
$action
int array, for different actions to be taken in case of failed validation
Returns
void
Throws
configFileNotFoundException
when configuration file is not found
31 |
32 |
useCachedVersion
public static function useCachedVersion()
function to check weather to use cached version of js file or not
Parameters
void
Returns
bool -- true if cacheversion can be used -- false otherwise
33 |
34 |
createNewJsCache
public static function createNewJsCache()
Function to create new cache version of js
Parameters
void
Returns
void
Throws
baseJSFileNotFoundExceptio
if baseJsFile is not found
35 |
36 |
authorisePost
public static function authorisePost()
function to authorise incoming post requests
Parameters
void
Returns
void
Throws
logDirectoryNotFoundException
if log directory is not found
37 |
38 |
failedValidationAction
private static function failedValidationAction()
function to be called in case of failed validation performs logging and take appropriate action
Parameters
void
Returns
void
39 |
40 |
refreshToken
public static function refreshToken()
Function to set auth cookie
Parameters
void
Returns
void
41 |
42 |
generateAuthToken
public static function generateAuthToken()
function to generate random hash of length as given in parameter max length = 128
Parameters
length to hash required, int
Returns
string, token
43 |
44 |
ob_handler
public static function ob_handler(
$buffer,
$flags
)
Rewrites <form> on the fly to add CSRF tokens to them. This can also inject our JavaScript library.
Parameters
$buffer
output buffer to which all output are stored
$flag
INT
Return
string, complete output buffer
45 |
46 |
logCSRFattack
private static function logCSRFattack()
Functio to log CSRF Attack
Parameters
void
Retruns
void
Throws
logFileWriteError
if unable to log an attack
47 |
48 |
getCurrentUrl
private static function getCurrentUrl()
Function to return current url of executing page
Parameters
void
Returns
string
current url
49 |
50 |
isURLallowed
public static function isURLallowed()
Function to check if a url mataches for any urls Listed in config file
Parameters
void
Returns
boolean
true is url need no validation, false if validation needed
flag for cross origin/same origin request @var bool
private static $isValidHTML
flag to check if output file is a valid HTML or not @var bool
protected static $requestType
Varaible to store weather request type is post or get @var string
public static $config
config file for CSRFProtector @var int Array, length = 6 Property: #1: failedAuthAction (int) => action to be taken in case autherisation fails Property: #2: logDirectory (string) => directory in which log will be saved Property: #3: customErrorMessage (string) => custom error message to be sent in case of failed authentication Property: #4: jsFile (string) => location of the CSRFProtector js file Property: #5: tokenLength (int) => default length of hash Property: #6: disabledJavascriptMessage (string) => error message if client’s js is disabled
public static function init(
$length
=
null,
$action
=
null
)
function to initialise the csrfProtector work flow
public static function useCachedVersion()
function to check weather to use cached version of js file or not
public static function createNewJsCache()
Function to create new cache version of js
public static function authorisePost()
function to authorise incoming post requests
private static function failedValidationAction()
function to be called in case of failed validation performs logging and take appropriate action
public static function refreshToken()
Function to set auth cookie
public static function generateAuthToken()
function to generate random hash of length as given in parameter max length = 128
public static function ob_handler(
$buffer,
$flags
)
Rewrites form on the fly to add CSRF tokens to them.
private static function logCSRFattack()
Functio to log CSRF Attack
private static function getCurrentUrl()
Function to return current url of executing page
public static function isURLallowed()
Function to check if a url mataches for any urls Listed in config file
config file for CSRFProtector @var int Array, length = 6 Property: #1: failedAuthAction (int) => action to be taken in case autherisation fails Property: #2: logDirectory (string) => directory in which log will be saved Property: #3: customErrorMessage (string) => custom error message to be sent in case of failed authentication Property: #4: jsFile (string) => location of the CSRFProtector js file Property: #5: tokenLength (int) => default length of hash Property: #6: disabledJavascriptMessage (string) => error message if client’s js is disabled
public static $cookieExpiryTime
expiry time for cookie @var int
public static function createNewJsCache()
Function to create new cache version of js
21 |
22 |
23 |
24 |
private static function failedValidationAction()
function to be called in case of failed validation performs logging and take appropriate action
25 |
26 |
27 |
28 |
public static function generateAuthToken()
function to generate random hash of length as given in parameter max length = 128
private static function getCurrentUrl()
Function to return current url of executing page
29 |
30 |
31 |
32 |
public static function init(
$length
=
null,
$action
=
null
)
function to initialise the csrfProtector work flow
private static $isSameOrigin
flag for cross origin/same origin request @var bool
public static function isURLallowed()
Function to check if a url mataches for any urls Listed in config file
private static $isValidHTML
flag to check if output file is a valid HTML or not @var bool
33 |
34 |
35 |
36 |
private static function logCSRFattack()
Functio to log CSRF Attack
37 |
38 |
39 |
40 |
public static function ob_handler(
$buffer,
$flags
)
Rewrites form on the fly to add CSRF tokens to them.
41 |
42 |
43 |
44 |
public static function refreshToken()
Function to set auth cookie
protected static $requestType
Varaible to store weather request type is post or get @var string
45 |
46 |
47 |
48 |
public static function useCachedVersion()
function to check weather to use cached version of js file or not
config file for CSRFProtector @var int Array, length = 6 Property: #1: failedAuthAction (int) => action to be taken in case autherisation fails Property: #2: logDirectory (string) => directory in which log will be saved Property: #3: customErrorMessage (string) => custom error message to be sent in case of failed authentication Property: #4: jsFile (string) => location of the CSRFProtector js file Property: #5: tokenLength (int) => default length of hash Property: #6: disabledJavascriptMessage (string) => error message if client’s js is disabled
public static $cookieExpiryTime
expiry time for cookie @var int
17 |
18 |
19 |
20 |
private static $isSameOrigin
flag for cross origin/same origin request @var bool
private static $isValidHTML
flag to check if output file is a valid HTML or not @var bool
21 |
22 |
23 |
24 |
protected static $requestType
Varaible to store weather request type is post or get @var string