/** * Searches the GET and POST parameters in a request for the CSRF token stored * in the current session and throws an IntrusionException if it is missing. * * @param SafeRequest $request A request object. * * @throws IntrusionException if the CSRF token is missing or incorrect. */ public function verifyCSRFToken($request) { if ($request instanceof SafeRequest == false) { throw new InvalidArgumentException('verifyCSRFToken expects an instance of SafeRequest.'); } if ($request->getParameter($this->getCSRFToken()) === null) { throw new IntrusionException('Authentication failed.', 'Possibly forged HTTP request without proper CSRF token detected.'); } }
} $ESAPI = new ESAPI(__DIR__ . "/testresources/ESAPI.xml"); ob_start(); session_start(); $view = ''; $tests = null; if (isset($_SESSION) && isset($_SESSION['tests'])) { $tests =& $_SESSION['tests']; } else { $tests = array('csi' => 'changeSessionIdentifier', 'token' => 'verifyCSRFToken', 'cookie' => 'killAllCookies (incl. killCookie)', 'log' => 'logHTTPRequest', 'logo' => 'logHTTPRequestObfuscate'); $_SESSION['tests'] =& $tests; } $util = ESAPI::getHTTPUtilities(); $req = new SafeRequest(); $uri = ESAPI::getEncoder()->encodeForHTML($req->getRequestURI()); if ($req->getParameter('req') == 'test1') { try { $util->verifyCSRFToken($req); $view .= '<p>Your Request contained the CSRF token we have in your session. Good!</p>'; } catch (IntrusionException $e) { $view .= '<p>Your Request did NOT contain the CSRF token we have in your session. Did you tamper??</p>'; } $tests['token'] .= ' - DONE'; $oldSessID = session_id(); $sr = $util->changeSessionIdentifier(); if ($sr === true) { $view .= '<p>Your session was regenerated. ID went from: '; $view .= ESAPI::getEncoder()->encodeForHTML($oldSessID); $view .= ' to: '; $view .= ESAPI::getEncoder()->encodeForHTML(session_id()); $view .= '</p>';