/tests/http_csrf.php (ea739560cc6dbc946784d70169a442aeff9dc632) (3957 bytes) (mode 100644) (type blob)
<?php
error_reporting(E_ALL | E_STRICT);
ini_set("track_errors", "On");
$rg_cache_debug = TRUE;
$INC = dirname(__FILE__) . "/../inc";
require_once(dirname(__FILE__) . "/config.php");
require_once($INC . "/init.inc.php");
require_once($INC . "/util.inc.php");
require_once("helpers.inc.php");
require_once("http.inc.php");
rg_log_set_file("http_csrf.log");
$rg_sql = "host=localhost user=rocketgit dbname=rocketgit connect_timeout=10";
$rg_no_db = TRUE;
require_once("common.php");
$_testns = 'http_csrf';
$rg_cache_enable = TRUE;
$now = time();
test_set_ua("user-agent-1");
rg_test_create_user($db, $rg_ui);
$r = test_login($test_url, $rg_ui, $good_sid);
if ($r === FALSE) {
rg_log("Cannot login!");
exit(1);
}
rg_log_enter("Loading suggestion form (ua test)");
test_set_ua("user-agent-1");
test_set_referer($test_url);
$data = array();
$headers = array("Cookie: sid=" . $good_sid);
$r = do_req($test_url . "/op/suggestion?t=load_suggestion_form_ua", $data, $headers);
if (!stristr($r['body'], "action=\"/op/suggestion\"")) {
rg_log("Cannot load form! See above.");
exit(1);
}
$good_token = $r['tokens']['suggestion'];
rg_log_exit();
rg_log_enter("Try posting with different user-agent: should not work");
test_set_ua("user-agent-2");
$data = array(
"doit" => 1,
"token" => $good_token,
"suggestion" => "bla bla bla<xss>"
);
$headers = array("Cookie: sid=" . $good_sid);
$r = do_req($test_url . "/op/suggestion?t=post_suggestion_form_diff_ua", $data, $headers);
if (!stristr($r['body'], "invalid token")) {
rg_log("Seems I could add a suggestion bypassing CSRF"
. " protection based on user-agent! See above.");
exit(1);
}
rg_log_exit();
rg_log_enter("Loading suggestion form (referer test)");
test_set_ua("user-agent-1");
test_set_referer($test_url);
$data = array();
$headers = array("Cookie: sid=" . $good_sid);
$r = do_req($test_url . "/op/suggestion?t=load_suggestion_form_referer", $data, $headers);
if (!stristr($r['body'], "action=\"/op/suggestion\"")) {
rg_log("Cannot load form! See above.");
exit(1);
}
$good_token = $r['tokens']['suggestion'];
$good_logout_token = $r['tokens']['logout'];
rg_log_exit();
rg_log_enter("Try posting with different referer: should not work");
test_set_ua("user-agent-1");
test_set_referer("http://attacker.com:4000/bla");
$data = array(
"doit" => 1,
"token" => $good_token,
"suggestion" => "bla bla bla"
);
$headers = array("Cookie: sid=" . $good_sid);
$r = do_req($test_url . "/op/suggestion?t=post_suggestion_form_diff_referer", $data, $headers);
if (!stristr($r['body'], "invalid referer")) {
rg_log_ml("Seems I could add a suggestion bypassing CSRF"
. " protection based on referer! See above.");
exit(1);
}
rg_log_exit();
rg_log_enter("Testing logout CSRF (wrong token)...");
test_set_ua("user-agent-1");
test_set_referer($test_url);
$headers = array("Cookie: sid=" . $good_sid);
$data['token'] = strtoupper($good_token);
$r = do_req($test_url . "/op/logout?t=wrong_token", $data, $headers);
if (stristr($r['body'], "You are now logged out")) {
rg_log("No error on logout with wrong token?! See above.");
exit(1);
}
rg_log_exit();
rg_log_enter("Testing logout CSRF (token passed in cookie)...");
test_set_ua("user-agent-1");
test_set_referer($test_url);
$headers = array("Cookie: sid=" . $good_sid . "; token=" . $good_logout_token);
$data = array('doit' => 1);
$r = do_req($test_url . "/op/logout?t=token_passed_by_cookie", $data, $headers);
if (stristr($r['body'], "You are now logged out")) {
rg_log("No error on logout with token passed by cookie?! See above.");
exit(1);
}
rg_log_exit();
rg_log_enter("Testing logout CSRF (good token)...");
test_set_ua("user-agent-1");
$url = $test_url . "/op/logout?t=good_token&token=" . $good_logout_token;
$data = array();
$r = do_req($url, $data, $headers);
if (!stristr($r['body'], "You are now logged out")) {
rg_log("Seems I cannot logout with a good token! See above.");
exit(1);
}
rg_log_exit();
rg_log("OK!");
?>
Mode |
Type |
Size |
Ref |
File |
100644 |
blob |
9 |
f3c7a7c5da68804a1bdf391127ba34aed33c3cca |
.exclude |
100644 |
blob |
102 |
eaeb7d777062c60a55cdd4b5734902cdf6e1790c |
.gitignore |
100644 |
blob |
289 |
fabbff669e768c05d6cfab4d9aeb651bf623e174 |
AUTHORS |
100644 |
blob |
1132 |
dd65951315f3de6d52d52a82fca59889d1d95187 |
Certs.txt |
100644 |
blob |
549 |
41c3bdbba8ec2523fe24b84bdd46777fc13e8345 |
History.txt |
100644 |
blob |
34520 |
dba13ed2ddf783ee8118c6a581dbf75305f816a3 |
LICENSE |
100644 |
blob |
2792 |
49fb9ac116dad2789e2b30046be0c9040ec2e880 |
Makefile.in |
100644 |
blob |
4875 |
351369ca6f3895965cd98b847161c696d2052146 |
README |
100644 |
blob |
110503 |
48e2f69a9b9e2a31c1b725822495c917f741489c |
TODO |
100644 |
blob |
1294 |
f22911eb777f0695fcf81ad686eac133eb11fcc4 |
TODO-plans |
100644 |
blob |
203 |
a2863c67c3da44126b61a15a6f09738c25e0fbe0 |
TODO.perf |
100644 |
blob |
600 |
5525d768c22262f90a504a11db4fabc25ddbab8f |
TODO.vm |
040000 |
tree |
- |
21928e906ad2907a55c2e81c2a8b0502b586b8a0 |
artwork |
100644 |
blob |
3907 |
6ae9158d019f8075b0e0cb5b5b18a783b3a10fbf |
compare.csv |
100755 |
blob |
30 |
92c4bc48245c00408cd7e1fd89bc1a03058f4ce4 |
configure |
040000 |
tree |
- |
8ffdcb3d5e12de55f23f507ed41bfda98d7e9595 |
debian |
040000 |
tree |
- |
c762634e95d46059f3d8e964a7f76c9f0f73139f |
docker |
040000 |
tree |
- |
f67d3605efbd6422a8acdd953578991139266391 |
docs |
100755 |
blob |
16711 |
924262b2f8dbf3bbe02358e7f404175732e970d1 |
duilder |
100644 |
blob |
536 |
4af4a0b5ba5e8c7c33ad12d7a552517bc0acf098 |
duilder.conf |
040000 |
tree |
- |
b0cc8cc0386eddf4373339a7860e46e8f74e0202 |
hooks |
040000 |
tree |
- |
6f016c5e3adb0c1776b50802cf87d1786fa3edfa |
inc |
040000 |
tree |
- |
893c467cc64247dbe6360f5688c896e5b928c257 |
misc |
100644 |
blob |
3924 |
d71949b4bc4b8290aff66bc140e349c763d1d2cc |
rocketgit.spec.in |
040000 |
tree |
- |
8caeb9fb3ed0b5e11a48326244ce2701c5b5faeb |
root |
040000 |
tree |
- |
27c2b5605627048c31d9bffe40a779ffb5a23561 |
samples |
040000 |
tree |
- |
8e9594c013667cfa2c5d90ded0d10ceca1a74d70 |
scripts |
040000 |
tree |
- |
b2126466c4b21ed1182f727f36de39ec6fc05d02 |
selinux |
100755 |
blob |
256 |
462ccd108c431f54e380cdac2329129875a318b5 |
spell_check.sh |
040000 |
tree |
- |
cb54e074b3ca35943edfcda9dd9cfcd281bcd9e7 |
techdocs |
040000 |
tree |
- |
4cee612f5f854d74a13c4f95f1045d94fc046e13 |
tests |
040000 |
tree |
- |
63f68e921ac8d6a62ea9c3d180e072c7c4725b7d |
tools |
Hints:
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"
Clone this repository using HTTP(S):
git clone https://rocketgit.com/user/catalinux/rocketgit
Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@ssh.rocketgit.com/user/catalinux/rocketgit
Clone this repository using git:
git clone git://git.rocketgit.com/user/catalinux/rocketgit
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a
merge request:
... clone the repository ...
... make some changes and some commits ...
git push origin main