dolibarr  16.0.5
test_csrf.php
1 <?php
2 //define("NOLOGIN",1); // This means this output page does not require to be logged.
3 //if (!defined('NOREQUIREUSER')) define('NOREQUIREUSER', '1');
4 //if (!defined('NOREQUIREDB')) define('NOREQUIREDB', '1');
5 if (!defined('NOREQUIRESOC')) {
6  define('NOREQUIRESOC', '1');
7 }
8 //if (!defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1');
9 if (!defined('NOSTYLECHECK')) {
10  define('NOSTYLECHECK', '1'); // Do not check style html tag into posted data
11 }
12 if (!defined('NOCSRFCHECK')) {
13  define('NOCSRFCHECK', '1'); // Do not check anti CSRF attack test
14 }
15 if (!defined('NOTOKENRENEWAL')) {
16  define('NOTOKENRENEWAL', '1'); // Do not check anti POST attack test
17 }
18 //if (!defined('NOREQUIREMENU')) define('NOREQUIREMENU', '1'); // If there is no need to load and show top and left menu
19 //if (!defined('NOREQUIREHTML')) define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
20 //if (!defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); // Do not load ajax.lib.php library
21 if (!defined("NOLOGIN")) {
22  define("NOLOGIN", '1'); // If this page is public (can be called outside logged session)
23 }
24 
25 require '../../main.inc.php';
26 
27 // Security
28 if ($dolibarr_main_prod) {
29  accessforbidden();
30 }
31 
32 
33 /*
34  * View
35  */
36 
37 header("Content-type: text/html; charset=UTF8");
38 
39 // Security options
40 header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
41 header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
42 ?>
43 
44 This is a form to test if a CSRF exists into a Dolibarr page.<br>
45 <br>
46 - Change url to send request to into this file (URL to a hard coded page on a server B)<br>
47 - Open this form into a virtual server A.<br>
48 - Send the request to the virtual server B by clicking submit.<br>
49 - Check that Anticsrf protection is triggered.<br>
50 
51 <br>
52 <?php
53  $urltosendrequest = "http://127.0.0.1/dolibarr/htdocs/user/group/card.php";
54  print 'urltosendrequest = '.$urltosendrequest.'<br><br>';
55 ?>
56 
57 Test post
58 <form method="POST" action="<?php echo $urltosendrequest; ?>" target="_blank">
59 <!-- <input type="hidden" name="token" value="123456789"> -->
60 <input type="text" name="action" value="add">
61 <input type="text" name="nom" value="New group test">
62 <input type="submit" name="submit" value="Submit">
63 </form>
64 
65 
66 Test logout
67 <html>
68  <body>
69  <script>history.pushState('', '', '/')</script>
70  <form action="http://localhostgit/dolibarr_dev/htdocs/user/logout.php">
71  <input type="submit" value="Submit request" />
72  </form>
73  <script>
74  document.forms[0].submit();
75  </script>
76  </body>
77 </html>
name
$conf db name
Definition: repair.php:122
accessforbidden
accessforbidden($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
Show a message to say access is forbidden and stop program Calling this function terminate execution ...
Definition: security.lib.php:933
type
if(preg_match('/crypted:/i', $dolibarr_main_db_pass)||!empty($dolibarr_main_db_encrypted_pass)) $conf db type
Definition: repair.php:119
Generated on Sun Feb 4 2024 01:01:34 for dolibarr by Doxygen 1.8.17