Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "the practical application of Token in php form security". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

0x1 packet capture analysis

Set up the agent burpsuit to start a big job, first found a form submission page, the form mainly uses the Post method to submit, casually fill in a little data to submit.

After intercepting through burpsuit, take a look at the various parameters.

Submit it to a Task action through Post. If there is a lack of strict filtering, the method may have some vulnerabilities of XSS or sql injection, so it is sent to scanner after a little look.

After the Proxy was let go, an exception appeared on the page indicating that the Token verification failed.

Then take a closer look and find that in addition to some of the parameters submitted by the form, there is also a token=20e168c64ce1f1f98f89e4c8ff9e3aba field. After the form is submitted, there is also a new token ":" e40fe4b3afedc40f95903fef92eb79ed in the response packet, which causes this request packet to be requested only once, and the scanning mode tested by Burpsuit Scanner based on the parameters of the original request packet is basically useless.

Token generally has two functions:

1. Prevent form from being submitted repeatedly

2.anti csrf attack (cross-site request forgery)

Because token has good randomness, it is not easy to guess that it has good security, so take a look at the implementation in the source code.

0x2 source code analysis

Find the corresponding php file through the requested path, and the method $label- > token () is automatically executed when the form is requested.

Looking at the source code of label.php, the token method constructs the hidden form and assigns the value Core\ Func\ CoreFunc::$token after defining a variable of token.

Continue to look at the source code of CoreFunc, including the process of generating token

The randomness of Token depends on the current time, rand random, md5 hashing algorithm.

Store the generated token in the session server session

The submitted form is mainly processed by task.php. In the task class, only the fields of userid in session are read, and the parent::action ($jump, $commit) method of the parent class Content is used to validate and then process the form data.

Layer after layer, it feels so complicated. The Content class inherits the checkToken () check in Controller

Token deletes the value of the current token regardless of whether it is verified or not, which ensures that it will not be reused.

0x3 summary

Session application is relatively safe but also cumbersome. At the same time, when multiple pages and multiple requests are generated at the same time, multiple Token must be generated at the same time, which takes up more resources and reduces execution efficiency. However, the improvement in security is obvious, and it is not a good way to repeatedly submit forms, deform scanning based on a single packet, and solve CSRF vulnerabilities.

This is the end of the content of "practical Application of Token in php form Security". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.