Required Help with PHP and Error Output

[twinbaby]

P.S: I can't post any code using CODE and PHP tag, its goes to 403 Forbidden.

My original intention is to post the Cross Site Request Forgery Token on the post request, its goes to 403 Forbidden.

I just realised I cannot put code input here, basically my issues is:
1) I am trying to modify an existing login form
2) The CSRF token is in the GET request upon successfully authentication the user and store also store in the SESSION
3) The CSRF token will be visible on the URL and will compare against the session
4) This is to prevent another site to login to this site remotely.
5) Work like to put it in the POST request instead.

2ndly, the php console is not giving meaningful error when running.
Basically the variable does not have a $ and there is a missing ) at the end.
But this is the type of error message that PHP gives. Is there a better online compiler or editor in this case?

Error: There is 1 more opening parenthesis '(' found
This count is unaware if parenthesis are inside of a string
(hash_equals(session_token, get_token) { } else { header('Location: login.php'); } ?>
PHP Syntax Check: Parse error: syntax error, unexpected '{' in your code on line 1
if (hash_equals(session_token, get_token) {

I also come across error like I have missing ;, but the interpreter says:

127.0.0.1:53320 [500]: /information_gathering/lab1/staff.php - syntax error, unexpected '}' in /var/www/information_gathering/lab1/staff.php on line 14

I understand PHP is currently at 7 and most people will be using framework like lavarel. But I am not a developer, I am just going through this coursework to understand the security flaws.


I am also using this method to launch start my test application, is there a way with lesser steps?

Web Service:
1. cd /root/Desktop/www/
2. php -S 0.0.0.0:8080 #Refer Figure 1
Database:
1. service mariadb start
2. chromium --no-sandbox http://127.0.0.1:8080/adminer-4.7.7.php # Enter the Username and Password
3. show databases;

 

[davidktw]

P.S: I can't post any code using CODE and PHP tag, its goes to 403 Forbidden.

My original intention is to post the Cross Site Request Forgery Token on the post request, its goes to 403 Forbidden.

I just realised I cannot put code input here, basically my issues is:
1) I am trying to modify an existing login form
2) The CSRF token is in the GET request upon successfully authentication the user and store also store in the SESSION
3) The CSRF token will be visible on the URL and will compare against the session
4) This is to prevent another site to login to this site remotely.
5) Work like to put it in the POST request instead.

2ndly, the php console is not giving meaningful error when running.
Basically the variable does not have a $ and there is a missing ) at the end.
But this is the type of error message that PHP gives. Is there a better online compiler or editor in this case?



I also come across error like I have missing ;, but the interpreter says:



I understand PHP is currently at 7 and most people will be using framework like lavarel. But I am not a developer, I am just going through this coursework to understand the security flaws.


I am also using this method to launch start my test application, is there a way with lesser steps?

Use screenshot with images to circumvent the 403 issue.

Just merely reading the fragment of codes you have posted, I notice a missing closing bracket after the “hash_equals” function

(hash_equals(session_token, get_token) {}

I believe it is a “if..else” block you are showing and it should be properly written as

if (hash_equals(session_token, get_token)) { ... } else { ... }

I am not sure what lesser steps you want. What you have posted may not be the norm where normally developers work with dedicated http server, but you are already using a simplistic built-in server, and using the linux service to startup the mariadb, how much easier would you like?

As for your CSRF concern, the easiest way is output the CSRF token as a hidden input parameter in the form you are submitting and set your method to “POST”. the entire form submission will be POST using by default ENCTYPE “ application/x-www-form-urlencoded”, but you can also specify “multipart/form-data”.

Read up more about it at https://dev.to/sidthesloth92/understanding-html-form-encoding-url-encoded-and-multipart-forms-3lpa

 

[davidktw]

Just for fun, here is a simplistic example of how CSRF can be implemented.

$ ls
index.php
$ cat index.php

Generally CSRF token is only refreshed after a non-read operation, so that multiple GETS which could be main page load with one or more Ajax calls will not change the CSRF token. Some implementation may also choose to implement one CSRF token per session.

Thus, if after you have perform one form submission, and then open up the developer console to copy out a CURL request as shown in the image below,

you can then perform a curl request separately as such to simulate in the event someone create a form in another website

curl 'http://localhost/' \
  -H 'Connection: keep-alive' \
  -H 'Pragma: no-cache' \
  -H 'Cache-Control: no-cache' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'Origin: http://localhost' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'User-Agent: XXXX' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'Sec-Fetch-Mode: navigate' \
  -H 'Sec-Fetch-User: ?1' \
  -H 'Sec-Fetch-Dest: document' \
  -H 'Referer: http://localhost/' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: PHPSESSID=d1d4abf9f4f5c6e75e3e761e198aeeee' \
  --data-raw 'csrf=b6daf855ed70a0ceebb56056aad92db14996fcf2d04ec18abf1706e1b0a0eeee&name=davidktw&email=davidktw%40hardwarezone.com' \
  --compressed

Execution, No need database

php -S 0.0.0.0:80

 

[twinbaby]

Thanks for the below.

When I saw on the tutorial.
A directory was created with mkdir -p /home/www/upload instead of /var/www/upload, what is the purpose of moving away from the webroot.

Btw the way, do you know why when I set on

127.0.0.1:8080 www.hospital.com hospital.com

It is not working when I type in the hospital.com URL?
Please advise.

Just for fun, here is a simplistic example of how CSRF can be implemented.

 

[davidktw]

Thanks for the below.

When I saw on the tutorial.
A directory was created with mkdir -p /home/www/upload instead of /var/www/upload, what is the purpose of moving away from the webroot.

Btw the way, do you know why when I set on

127.0.0.1:8080 www.hospital.com hospital.com

It is not working when I type in the hospital.com URL?
Please advise.

It is up to the administrator. webservers can handle multiple web roots, one for each virtual hosting. I don’t believe there is a real value in the tutorial, but it can be done if you like to start with a clean slate of web root file system, since the existing /var/www/html is sometimes littered with demo webpages

Where did you set the following configuration ?

127.0.0.1:8080 www.hospital.com hospital.com

In your host file ? If it is your hostfile you don't put in the port. It should be

127.0.0.1 www.hospital.com hospital.com

Next your web server must also be configured to accept both hostnames. If you are using Apache web server, it should be something like this for Name-based virtual hosting

# Ensure that Apache listens on port 80
Listen 80
<VirtualHost *:80>
    DocumentRoot "...."
    ServerName www.hospital.com
    ServerAlias hospital.com

    # Other directives here
</VirtualHost>

 

[AwfullySmart]

Thanks for the below.

When I saw on the tutorial.
A directory was created with mkdir -p /home/www/upload instead of /var/www/upload, what is the purpose of moving away from the webroot.

Files in the web root are usually public accessible, i.e. as long as the visitors know the exact file name, they can download it freely.

By moving them to a private (non web root) folder, it would require a method/script to read and output the file to the user. And in the script, you can implement authorization checks (ACL) to make sure the user has the appropriate permission to access the file.

 

[davidktw]

Files in the web root are usually public accessible, i.e. as long as the visitors know the exact file name, they can download it freely.

By moving them to a private (non web root) folder, it would require a method/script to read and output the file to the user. And in the script, you can implement authorization checks (ACL) to make sure the user has the appropriate permission to access the file.

This is a valid point on the mentioning of permission, it also make sense with this point to move out of the web root.

However with proper ACL configured at the webserver, it would also be able to close off subdirectories and/or url paths to be totally isolated from public access and only accessible via script.

That being said, if it is about clarity, then perhaps it make sense to do so.

In any case, how open /var/www/html is in the first place is configurable at the webserver. Using /home/www/html doesn’t really make it safer. It is all about explicit ACL properly configured, isn’t it?

 

[AwfullySmart]

This is a valid point on the mentioning of permission, it also make sense with this point to move out of the web root.

However with proper ACL configured at the webserver, it would also be able to close off subdirectories and/or url paths to be totally isolated from public access and only accessible via script.

That being said, if it is about clarity, then perhaps it make sense to do so.

In any case, how open /var/www/html is in the first place is configurable at the webserver. Using /home/www/html doesn’t really make it safer. It is all about explicit ACL properly configured, isn’t it?

Yes. You are right. It's always possible to block those sub-directories in the webroot.

For private files, it's better to put in a private folder, so that it is "block all" by default, and open those that we need.

We don't want them to be in webroot public "open all" by default, and block those we don't want to allow (it might be too late when we discover an unintentional leak).

Same for inbound traffic, block all by default.