//Make sure to run this script as a "PHP Web Page" if (php_sapi_name() === 'cli') { exit('ERROR: This script must be run from the browser.' . PHP_EOL); } $ESAPI = new ESAPI(__DIR__ . "/testresources/ESAPI.xml"); ob_start(); session_start(); $view = ''; $tests = null; if (isset($_SESSION) && isset($_SESSION['tests'])) { $tests =& $_SESSION['tests']; } else { $tests = array('csi' => 'changeSessionIdentifier', 'token' => 'verifyCSRFToken', 'cookie' => 'killAllCookies (incl. killCookie)', 'log' => 'logHTTPRequest', 'logo' => 'logHTTPRequestObfuscate'); $_SESSION['tests'] =& $tests; } $util = ESAPI::getHTTPUtilities(); $req = new SafeRequest(); $uri = ESAPI::getEncoder()->encodeForHTML($req->getRequestURI()); if ($req->getParameter('req') == 'test1') { try { $util->verifyCSRFToken($req); $view .= '<p>Your Request contained the CSRF token we have in your session. Good!</p>'; } catch (IntrusionException $e) { $view .= '<p>Your Request did NOT contain the CSRF token we have in your session. Did you tamper??</p>'; } $tests['token'] .= ' - DONE'; $oldSessID = session_id(); $sr = $util->changeSessionIdentifier(); if ($sr === true) { $view .= '<p>Your session was regenerated. ID went from: '; $view .= ESAPI::getEncoder()->encodeForHTML($oldSessID);
/** * Constructor ensures global ESAPI is set and stores an instance of * DefaultHTTPUtilities. */ protected function setUp() { $this->_httpUtils = ESAPI::getHTTPUtilities(); }