SRE School

Laravel Security: Upload, Store, and Download files with privacy restrictions in Laravel part 5

Posted by

Dharmendra Kumar, Senior Software Engineer & Co founder at MyhospitalNow

Improper Handling of HTTP Requests: CSRF (Cross-Site Request Forgery) Vulnerability

Scenario:

Cross-Site Request Forgery (CSRF) is a type of attack that tricks an authenticated user into performing an action without their consent. If a website does not implement proper CSRF protection, an attacker can craft a malicious request that, when executed by an authenticated user, can perform actions on their behalf, such as uploading a file, changing user settings, or transferring funds.

For example, if a file upload form does not have CSRF protection, an attacker can trick a logged-in user into uploading a malicious file to the server, potentially leading to a server compromise or data breach.

Example of CSRF Vulnerability in File Upload:

Let’s consider a website with an authenticated user who has permission to upload files. The application has a form like this:

<form action="/upload" method="POST" enctype="multipart/form-data">
    <input type="file" name="file" />
    <input type="submit" value="Upload" />
</form>

The form submits the file directly to /upload without any CSRF protection.

  1. Exploiting the CSRF Vulnerability:
    An attacker could create a malicious page with an HTML form that automatically submits a request to the /upload endpoint. The attacker’s goal is to trick the logged-in user into visiting the page (e.g., by sending a link or embedding the form in a social media post). The attacker’s form might look like this:
<html>
<body>
    <form action="http://victimsite.com/upload" method="POST" enctype="multipart/form-data">
        <input type="file" name="file" value="malicious_file.php" />
        <input type="submit" value="Upload" />
    </form>

    <script>
        document.forms[0].submit();
    </script>
</body>
</html>
    • This form is automatically submitted when the user visits the page.
    • Since the user is already logged in on the target website, the request will be sent using the user’s credentials, potentially allowing the attacker to upload a malicious file to the server without the user’s knowledge.
  2. Potential Consequence:
    • Malicious File Upload: If the attacker successfully uploads a PHP shell or other malicious file, they may gain control of the server.
    • Unauthorized Actions: The attacker can make other requests on behalf of the authenticated user, such as changing account settings, deleting files, or accessing private data.

Fixing CSRF Vulnerability: Implementing CSRF Tokens

The best practice to mitigate CSRF vulnerabilities is to use CSRF tokens. A CSRF token is a random value generated by the server and embedded in each form. When the form is submitted, the server checks whether the token in the request matches the one stored in the session. If the token doesn’t match, the server rejects the request.

Here’s how you can implement CSRF protection for a file upload form:

1. Generate a CSRF Token in the Server:

When the user visits the page, generate a CSRF token and store it in the session.

Example in PHP:

session_start();

// Generate a CSRF token if it's not already set
if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));  // Generate a random token
}

Include the CSRF Token in the Form:

Embed the CSRF token as a hidden input field within the file upload form.

Example HTML Form:

<form action="/upload" method="POST" enctype="multipart/form-data">
    <input type="file" name="file" />
    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>" />
    <input type="submit" value="Upload" />
</form>

Validate the CSRF Token on Form Submission:

When the form is submitted, the server needs to check that the CSRF token provided in the form matches the token stored in the session. If the tokens do not match, the server should reject the request.

Example PHP CSRF Validation:

session_start();

// Check if CSRF token exists and is valid
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if (!isset($_POST['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']) {
        // Invalid CSRF token - possible CSRF attack
        die('Invalid CSRF token. Request rejected.');
    }

    // CSRF token is valid, proceed with file upload
    // Handle file upload here
}

If the CSRF token is not present or invalid, the request will be rejected, preventing any unauthorized actions.

4. Expire Tokens Regularly:

For added security, you can set an expiration time for CSRF tokens. Tokens should expire after a certain amount of time to reduce the risk of reuse in case they are intercepted.

Example of Secure PHP File Upload with CSRF Protection:

Here is a complete example of how to implement CSRF protection for file upload:

1. Generate CSRF Token (on the page load):

<?php
session_start();

// Generate a CSRF token if it's not already set
if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));  // Generate a random token
}
?>

<form action="/upload" method="POST" enctype="multipart/form-data">
    <input type="file" name="file" />
    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>" />
    <input type="submit" value="Upload" />
</form>

Validate the CSRF Token (when the form is submitted):

<?php
session_start();

// Check if CSRF token exists and is valid
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if (!isset($_POST['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']) {
        // Invalid CSRF token - possible CSRF attack
        die('Invalid CSRF token. Request rejected.');
    }

    // Proceed with file upload if the CSRF token is valid
    $uploadDir = '/uploads/';
    $allowedExtensions = ['jpg', 'png', 'gif'];
    $fileName = basename($_FILES['file']['name']);
    $fileExtension = pathinfo($fileName, PATHINFO_EXTENSION);

    // Validate file extension
    if (in_array(strtolower($fileExtension), $allowedExtensions)) {
        // Move file to upload directory
        $targetPath = $uploadDir . uniqid() . '.' . $fileExtension;
        move_uploaded_file($_FILES['file']['tmp_name'], $targetPath);
        echo "File uploaded successfully!";
    } else {
        echo "Invalid file type!";
    }
} else {
    echo "Invalid request method!";
}
?>

CSRF is a serious security vulnerability that can allow attackers to perform actions on behalf of authenticated users without their consent. To prevent CSRF attacks in file upload forms:

  1. Implement CSRF tokens to ensure that requests are originating from the legitimate source.
  2. Validate CSRF tokens on the server side before processing the file upload.
  3. Use secure file upload practices (such as file type validation and restricting file execution) in conjunction with CSRF protection.

Dharmendra Kumar, Senior Software Engineer & Co founder at MyhospitalNow

Experienced software developer proficient in HTML, CSS, and Bootstrap for crafting elegant and responsive user interfaces. Skilled in Laravel and PHP, with a focus on building robust and scalable web applications. Proficient in JavaScript for both frontend and backend development, leveraging frameworks like React and Vue.js. Experienced in designing and consuming RESTful APIs to enable seamless communication between client and server. Expertise in integrating payment gateways such as PayPal, Stripe, and Paytm for secure online transactions. Familiar with Flutter, enabling the creation of natively compiled applications for mobile, web, and desktop. Proficient in Android Studio, the primary IDE for developing Android applications. Knowledgeable in Linux and Docker for efficient server management and application deployment. Experienced in using Redis as an in-memory data structure store, enhancing application performance. Passionate about staying updated with the latest technologies and continuously learning to deliver high-quality solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow Us

Recent Posts

Categories

Tags

#AssetManagement #ContentCollaboration #ContentManagement #DAM #DAMSoftware #DigitalAssetManagement #Digital AssetManagement #DigitalAssets #DigitalMarketing #SEO #SEOManagement #SEOTools #TeamCollaboration #Wizbrand Bike certification command Composer comprehensive Foundation guide Laravel Laravel 10 Launches Linux Paypal php Rental Services Troubleshooting

0
Would love your thoughts, please comment.x
()
x