Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Random false positives. Forms work sometimes, not others. Hitting browser 'back' button and click submit again gives success #155

Open
MASSAlan opened this issue Feb 13, 2023 · 2 comments

Comments

@MASSAlan
Copy link

I have installed using 'Non-Composer' method.
PHP 8.1 MySQL on a Virtual Private Server at our Hosts.
We have a strict Content Security Policy enforced.

All 'modules' in my application have their own folder with files pertaining to that module, i.e. index, view, add, edit etc. Every form that updates the database, submits via POST to a 'processor.php' file where the request is processed and then the user is redirected to another page using header('location: ');
Each php page that contains a form has the following at the start of the file:

include("../sysadmin/includes/controller.php");

// Include CSRFProtector library.
include_once('../csrfp/libs/csrf/csrfprotector.php');
// Initialise CSRFGuard library.
csrfProtector::init();

and so does every processor.php file that the forms submit to.

The first line with the include of controller.php does all user login and checking for logged in status on every page. It contains a session_start() so a warning is thrown that a session is already started if I include the CSRF library before it.

The hidden fields are successfully added to the form page:

form_html_screen

and most of the time the request is successfully processed by the processor file and the user is redirected to the appropriate page.

My config file looks like this:

return array(
    "CSRFP_TOKEN" => "csrfpt",
    "failedAuthAction" => array(
	"GET" => 2,
	"POST" => 2),
    "errorRedirectionPage" => "https://myapplicationurl/error-message.php",
    "customErrorMessage" => "All your base are belong to us (In other words, OWASP CSRF PROTECTOR VALIDATION FAILURE)",
    "jsUrl" => "https://myapplicationurl/csrfp/js/csrfprotector.js",
    "tokenLength" => 10,
    "cookieConfig" => array(
	"path" => '',
	"domain" => 'myapplicationurl',
	"secure" => true,
	"expire" => '',
    ),
    "disabledJavascriptMessage" => "This site attempts to protect users against <a href=\"https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\">
        Cross-Site Request Forgeries </a> attacks. In order to do so, you must have JavaScript enabled in your web browser otherwise this site will fail to work correctly for you.
         See details of your web browser for how to enable JavaScript.",
    "verifyGetFor" => array()
);

As I say, this all worked fine, but randomly, every now and again, one of the forms would send me to the error-message.php page marked in the config.
If I hit the 'back' button in the browser and clicked submit again it would then go through fine with the request processed successfully. I would always check to make sure that the request hadn't been processed twice (i.e. sending to the error-message page after processing the request) but there were no duplicate operations. The CSRF Protector was detecting a false-positive on submit.
It happened infrequently enough so I allowed a group of test users to start using the application, and of the 8 users, 2 of them occasionally encountered the error page, and hitting the back button on the browser and clicking submit again would fix it.

I noticed in the "How-to-use" wiki page that it said:
Repeat for each php file & you are secure !!!
I had it on every page that had a form and every processor file that it submitted to, so I thought that maybe adding it to every page, may fix the issue.
This caused the false positives to happen much more, for every user, and the browser 'back' method no longer worked. Deleting the browser cache would make it start working again for that page, but then a different page would get the same issue. Deleting the browser cache again would fix it for that page.

The result of adding a print of SESSION and COOKIE values:

print "<pre>";
print_r($_SESSION);
print_r($_COOKIE);
print "</pre>";

shows this after a successful operation:

print_r_screen

The SESSION [csrfpt] Array often has up to 4 values.

I think I have added as much information as I can. There is never anything in the error logs of the server when a false positive happens. The How-to-use mentions a folder called 'log' in the CSRF library structure so I have added that but it is always empty.

I don't use a framework, just vanilla php in a procedural manner. No use of Ajax, just standard form submit to server via POST.
Browser used is Edge. Opening the application in another browser (like Brave) and the issue isn't there, but clearing the cache in Edge fixes the issue in that instance as well.

Any help would be greatly appreciated as I have now had to disable the CSRF Protector on my application until I can get the issue sorted.
Cheers.

@CassadyCampos
Copy link

Any result from this?

@Antech
Copy link

Antech commented Jun 28, 2023

Any result from this?

Still nothing from anyone. I requested to join the Google chat group supposedly run by the main designer, but I have as yet had no reply or been accepted into the chat group.
I worry that because popular frameworks have their own implementation, that this library is no longer supported by it's devs.
I don't use frameworks and was hoping that an OWASP developed library would be supported and maintained.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants