CSRF Protection in PHP

Cross-site request forgery [CSRF] is a type of attack where a user is tricked/forced into performing an unwanted action on a friendly website that they are authenticated with. For example, if a user is logged into their bank and then visits a malicious site, it is possible that the malicious site can use the user’s session to make requests to the bank server. Essentially, the malicious script inherits the user’s credentials and authorization to the bank’s site and can act on the user’s behalf. Since every request that the user makes to the bank’s server includes the session and cookie data, a request from the user’s browser that is initiated from another site to the bank will include this information as well. Since a CSRF attack uses the user’s browser and session, the bank server cannot identify that the request is malicious.

A simplified example of a CSRF attack is a user being logged into their bank and then visiting a page that has this image element:

To combat these attacks, the Open Web Application Security Project suggests in their Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet to use the synchronizer token pattern. This method requires a unique random challenge token to be sent with each request that only the server can identify as being a valid request and can be sent to the server with a form using a hidden form field or included as a variable in a request. It is also critical that the token be used only in POST requests, so that it is not exposed, such as in the referrer section of an http request to a malicious site or when a user copies and pastes a url to share with a friend.

A common technique is to use a unique algorithm using the session id combined with the form/request that is being validated, meaning all tokens are form/request specific and expire when a user logs out. Using the session id alone would not be enough, since it can be discovered and used. One algorithm to generate a token could be concatenating the name of the form/request with the session id and running that through a hashing function like md5 or sha1 like this:

This can be taken one step further and add a secret key to make the token that much more difficult to duplicate:

The next step is to add this token into the form using a hidden form field:

Now to validate the incoming form is valid, just check the token:

 

While your site may or may not be a high CSRF target, CSRF prevention is very easy to implement and should be used in any application that handles a form or request. CSRF prevention must go beyond using just a static secret key or limiting form submission to POST requests, both of these solutions are still vulnerable to CSRF attacks. A unique identifier that cannot be predicted is critical to successful CSRF security. It is also important to safeguard all POSTed requests, not just form submissions.

Advertisements

Composer

Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you.

Dependency management

Composer is not a package manager in the same sense as Yum or Apt are. Yes, it deals with “packages” or libraries, but it manages them on a per-project basis, installing them in a directory (e.g. vendor) inside your project. By default it does not install anything globally. Thus, it is a dependency manager. It does however support a “global” project for convenience via the global command.

This idea is not new and Composer is strongly inspired by node’s npm and ruby’s bundler.

Suppose:

  1. You have a project that depends on a number of libraries.
  2. Some of those libraries depend on other libraries.

Composer:

  1. Enables you to declare the libraries you depend on.
  2. Finds out which versions of which packages can and need to be installed, and installs them (meaning it downloads them into your project).

Basic Usage Of Doctrine With CodeIgniter

Lets do a contact form example to understand how to use doctrine ORM within CodeIgniter. Lets create a table on our MySQL database named ‘pd_contact’ as like follows:

mysql contact table schema example

This will generate and entity class as like follows:

<?php
/**
* PdContact
*
* @Table(name=”pd_contact”)
* @Entity
*/
class PdContact
{
/**
* @var integer $id
*
* @Column(name=”id”, type=”integer”, nullable=false)
* @Id
* @GeneratedValue(strategy=”IDENTITY”)
*/
private $id;

/**
* @var string $name
*
* @Column(name=”name”, type=”string”, length=50, nullable=false)
*/
private $name;

/**
* @var string $email
*
* @Column(name=”email”, type=”string”, length=50, nullable=false)
*/
private $email;

/**
* @var string $subject
*
* @Column(name=”subject”, type=”string”, length=100, nullable=false)
*/
private $subject;

/**
* @var text $message
*
* @Column(name=”message”, type=”text”, nullable=false)
*/
private $message;

/**
* Get id
*
* @return integer $id
*/
public function getId()
{
return $this->id;
}

/**
* Set name
*
* @param string $name
*/
public function setName($name)
{
$this->name = $name;
}

/**
* Get name
*
* @return string $name
*/
public function getName()
{
return $this->name;
}

/**
* Set email
*
* @param string $email
*/
public function setEmail($email)
{
$this->email = $email;
}

/**
* Get email
*
* @return string $email
*/
public function getEmail()
{
return $this->email;
}

/**
* Set subject
*
* @param string $subject
*/
public function setSubject($subject)
{
$this->subject = $subject;
}

/**
* Get subject
*
* @return string $subject
*/
public function getSubject()
{
return $this->subject;
}

/**
* Set message
*
* @param text $message
*/
public function setMessage($message)
{
$this->message = $message;
}

/**
* Get message
*
* @return text $message
*/
public function getMessage()
{
return $this->message;
}
}

Gas ORM

A lightweight and easy-to-use ORM for CodeIgniter. Gas was built specifically for CodeIgniter app. It uses CodeIgniter Database packages, a powerful DBAL which support numerous DB drivers. Gas ORM provides a set of methods that will map your database tables and its relationship, into accessible object.

VPN (virtual private network)

A virtual private network (VPN) is a technology that creates a safe and encrypted connection over a less secure network, such as the internet.

VPN technology was developed as a way to allow remote users and branch offices to securely access corporate applications and other resources. To ensure safety, data travels through secure tunnels, and VPN users must use authentication methods — including passwords, tokens or other unique identification procedures — to gain access to the VPN server.

VPNs are used by remote workers who need access to corporate resources, consumers who may want to download files and business travelers who may want to log into sites that are geographically restricted. VPN services are critical conduits through which data can be transported safely and securely.

How a VPN works and why you should use one

The two most common types of VPNs are remote access VPNs and site-to-site VPNs.

A remote access VPN uses a public telecommunication infrastructure like the internet to provide remote users with secure access to their organization’s network. This is especially important when employees are using a public Wi-Fi hotspot or other avenues to access the internet and connect to their corporate network.

A VPN client on a remote user’s computer or mobile device connects to a VPN gateway on the organization’s network. The gateway typically requires the device to authenticate its identity. Then, it creates a network link back to the device that allows it to reach internal network resources — e.g., file servers, printers and intranets — as though the gateway is on the network locally.

A remote-access VPN usually relies on either IP Security (IPsec) or Secure Sockets Layer (SSL) to secure the connection, although SSL VPNs are often focused on supplying secure access to a single application rather than to the entire internal network.

Some VPNs provide Layer 2 access to the target network; these require a tunneling protocol like the Point-to-Point Tunneling Protocol or the Layer 2 Tunneling Protocol running across the base IPsec connection.

VPN design, What is VPN

In addition to IPsec and SSL, other protocols used to secure VPN connectivity and encrypt data are Transport Layer Security and OpenVPN.

A site-to-site VPN uses a gateway device to connect an entire network in one location to a network in another — usually a small branch connecting to a data center. End-node devices in the remote location do not need VPN clients because the gateway handles the connection.

Most site-to-site VPNs connecting over the internet use IPsec. It is also common for them to use carrier MPLS clouds rather than the public internet as the transport for site-to-site VPNs. Here, too, it is possible to have either Layer 3 connectivity (MPLS IP VPN) or Layer 2 (virtual private LAN service) running across the base transport.

VPN services can also be defined as connections between specific computers, typically servers in separate data centers, when security requirements for their exchanges exceed what the enterprise network can deliver. Increasingly, enterprises also use VPN connections in either remote access mode or site-to-site mode to connect — or connect to — resources in a public infrastructure-as-a-service environment.

Newer hybrid-access scenarios put the VPN gateway itself in the cloud, with a secure link from the cloud service provider into the internal network.

Benefits of using a VPN

The justification for using VPN access instead of a private network usually boils down to cost and feasibility: It is either not feasible to have a private network — e.g., for a traveling sales rep — or it is too costly to do so.

In addition to providing a secure way for remote users to transmit or access information, VPN services are used for other purposes, as well. VPNs can hide a user’s browsing activity, which is particularly helpful with public Wi-Fi connections. VPNs also allow users to connect to sites that may be blocked geographically.

VPN performance may be affected by a variety of factors, among them, the speed of users’ internet connections, the types of protocols an internet service provider uses and the types of encryption the VPN uses. VPN services performance can also be affected by poor quality of service and conditions that are outside IT’s control.

What is a proxy server?

Proxy server is a computer that sits between a client computer and the Internet, and provide indirect network services to a client. It may reside on the user’s local computer, or at various points between the user’s computer and destination servers on the Internet. A proxy server intercepts all client requests, and provide responses from its cache or forwards the request to the real server. A client computer is connected to the proxy server, which acknowledges client requests by providing the requested resource/data from either a specified server or the local cache memory. Client requests include files or any other resources available on various servers.

Types of Proxy servers
Proxy servers are classified into several types based on purpose and functionality. Some of the most common types and their uses can be described as below:

Web Proxy is the most common type of proxy application, which responds to the user requests by accessing resources from cached web pages and files available on remote web servers. This facilitates quick and reliable access to data for local network clients. If the requested resource is not found in the cache, then a web proxy fetches the file from the remote server, and saves a copy in the cache before returning it to the client.

Transparent Proxy is mostly used for caching websites and overcoming simple IP bans. However, such proxies do not provide any user anonymity since user’s original IP address is exposed. Transparent proxies are not specifically configured on the client computers.

Anonymous proxies do not hide the original IP address of the user; however, they provide adequate anonymity to most users. Anonymous proxies are easily detectable.

A distorting proxy, identifies itself as a proxy server, and modify the HTTP headers to disguise the original IP address.

Tunneling proxies are capable of passing client requests and return responses without making any modifications. These are also referred to as gateway proxies.

A forward proxy responds to client requests by retrieving data from a wide range of sources on the internet. It is also referred to as an Internet-facing proxy.

Open proxies belong to the category of forwarding proxy servers, which are accessible by any internet user since they can receive and return requests from any client computer. Meanwhile, anonymous open proxies are used for user anonymity to conceal the IP address.

Reverse proxies, also known as surrogates, usually receive requests from the Internet and forward them to internal network servers. A reverse proxy server forwards requests to one or more proxy servers, whose response is returned to the client computer, the user of which has no knowledge on the origin of the response.