Skip to content

This project involves testing out CSRF in my basic website and protecting against CSRF attacks

Notifications You must be signed in to change notification settings

AlexisNavarro/secure_website_lab2.2

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 

Repository files navigation

secure_website_lab2.2

Purpose

The purpose of this website is to be able to test if a Cross Site Request Forgery attack(CSRF) is possible and how can I defend against it. To be able simulate the CSRF attack, I will be using the malicious folder which contains add_user.html which is a way to attack the website with CSRF and has the protected_user.html which contains a way to defend against CSRF attacks which uses different versions of the website code for both the html forms.

NOTE: the add_user file is using the website code that came from website_lab2 with no modification while protected_user uses the lab3_secure_web code which uses the new website code with a security modification.

Protect against CSRF attacks

To be able to protect against a CSRF attack, the website code will need to use a seesion id which to do so we need to create a cookie using the $_COOKIE['PHPSESSID'] command, which will be specific to the user that is logged in. This session id will carry over throughout the entire website till the user logs out, but the way we use the session id, is that in the create_adminv2.php we always pass the session id as a hidden input type which will be checked for when we register an admin account. Assuming an attacker tries to put in a malicious account in the admin DB, they wouldn't be able to due to them not having a session id or the specific session id to that user that is currently signed in.

About

This project involves testing out CSRF in my basic website and protecting against CSRF attacks

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published