Home Explore Help
Sign In
iProspective
/
dolibarr
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 45c9e6064e
Branches Tags
dolibarr
/
htdocs
/
public
/
test
/
test_csrf.php

test_csrf.php 2.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. <?php
    2. 

  2. //define("NOLOGIN",1);		// This means this output page does not require to be logged.
    3. 

  3. //if (!defined('NOREQUIREUSER'))  define('NOREQUIREUSER', '1');
    4. 

  4. //if (!defined('NOREQUIREDB'))    define('NOREQUIREDB', '1');
    5. 

  5. if (!defined('NOREQUIRESOC')) {
    6. 

  6. 	define('NOREQUIRESOC', '1');
    7. 

  7. }
    8. 

  8. //if (!defined('NOREQUIRETRAN'))  define('NOREQUIRETRAN', '1');
    9. 

  9. if (!defined('NOSTYLECHECK')) {
    10. 

  10. 	define('NOSTYLECHECK', '1'); // Do not check style html tag into posted data
    11. 

  11. }
    12. 

  12. //if (!defined('NOREQUIREMENU'))  define('NOREQUIREMENU', '1'); // If there is no need to load and show top and left menu
    13. 

  13. //if (!defined('NOREQUIREHTML'))  define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
    14. 

  14. //if (!defined('NOREQUIREAJAX'))  define('NOREQUIREAJAX', '1'); // Do not load ajax.lib.php library
    15. 

  15. if (!defined("NOLOGIN")) {
    16. 

  16. 	define("NOLOGIN", '1'); // If this page is public (can be called outside logged session)
    17. 

  17. }
    18. 

  18. 

  19. // Load Dolibarr environment
    20. 

  20. require '../../main.inc.php';
    21. 

  21. 

  22. // Security
    23. 

  23. if ($dolibarr_main_prod) {
    24. 

  24. 	accessforbidden();
    25. 

  25. }
    26. 

  26. 

  27. 

  28. /*
    29. 

  29.  * View
    30. 

  30.  */
    31. 

  31. 

  32. header("Content-type: text/html; charset=UTF8");
    33. 

  33. 

  34. // Security options
    35. 

  35. header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
    36. 

  36. header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
    37. 

  37. ?>
    38. 

  38. 

  39. This is a form to test if a CSRF exists into a Dolibarr page.<br>
    40. 

  40. <br>
    41. 

  41. - Change url to send request to into this file (URL to a hard coded page on a server B)<br>
    42. 

  42. - Open this form into a virtual server A.<br>
    43. 

  43. - Send the request to the virtual server B by clicking submit.<br>
    44. 

  44. - Check that Anticsrf protection is triggered.<br>
    45. 

  45. 

  46. <br>
    47. 

  47. <?php
    48. 

  48. 	$urltosendrequest = "http://127.0.0.1/dolibarr/htdocs/user/group/card.php";
    49. 

  49. 	print 'urltosendrequest = '.$urltosendrequest.'<br><br>';
    50. 

  50. ?>
    51. 

  51. 

  52. Test post
    53. 

  53. <form method="POST" action="<?php echo $urltosendrequest; ?>" target="_blank">
    54. 

  54. <!-- <input type="hidden" name="token" value="123456789"> -->
    55. 

  55. <input type="text" name="action" value="add">
    56. 

  56. <input type="text" name="nom" value="New group test">
    57. 

  57. <input type="submit" name="submit" value="Submit">
    58. 

  58. </form>
    59. 

  59. 

  60. 

  61. Test logout
    62. 

  62. <html>
    63. 

  63.   <body>
    64. 

  64.   <script>history.pushState('', '', '/')</script>
    65. 

  65. 	<form action="http://localhostgit/dolibarr_dev/htdocs/user/logout.php">
    66. 

  66. 	  <input type="submit" value="Submit request" />
    67. 

  67. 	</form>
    68. 

  68. 	<script>
    69. 

  69. 	  document.forms[0].submit();
    70. 

  70. 	</script>
    71. 

  71.   </body>
    72. 

  72. </html>
    73.