Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help Problme with Curl request and CSRF protection
Problme with Curl request and CSRF protection
  • Offline son_link
    Newbie
  • *
  • Posts: 1
    Threads: 1
    Joined: Oct 2023
    Reputation: 0
#1
Exclamation  05-22-2024, 04:44 AM

Good morning, afternoon or evening, sorry for my English in advance.


I am porting to CI4 an old web application, and I am having the following problem when calling the API using Curl from another web application, it is made with CI3.

From that other application, although with different domain is on the same server, at a given time I make a POST request through Curl, but the communication fails and in the log generated by Curl I see that the problem is by CSRF. (I change the IP and URL for security reasons)

Code:
*  Trying 127.0.01:443...
* Connected to subdomain.myweb.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*  start date: Feb  5 21:12:35 2024 GMT
*  expire date: Mar  8 21:12:35 2025 GMT
*  issuer: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x563eb1e89480)
> POST /index.php/api/koolpass.php HTTP/2
Host: ubdomain.myweb.com
accept: */*
keep-alive: timeout=100, max=100
connection: keep-alive
content-length: 2491
content-type: application/x-www-form-urlencoded

* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 8)!
* We are completely uploaded and fine
< HTTP/2 403
* Added cookie PHPSESSID="70a3d8a88b2a1cf540d6eb984696275d" for domain ubdomain.myweb.com, path /, expire 0
< set-cookie: PHPSESSID=70a3d8a88b2a1cf540d6eb984696275d; path=/; secure; HttpOnly
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< cache-control: no-store, no-cache, must-revalidate
< pragma: no-cache
< content-type: text/html; charset=UTF-8
< content-length: 563
< date: Wed, 22 May 2024 11:28:38 GMT
< server: OPNsense
<
<html><head><title>CSRF check failed</title>
            <script>
              $( document ).ready(function() {
                  $.ajaxSetup({
                  'beforeSend': function(xhr) {
                      xhr.setRequestHeader("X-CSRFToken", "WHdKODJaeEdpd3BlemFjQStXQmVVdz09" );
                  }
                });
              });
            </script>
            </head>
                  <body>
                  <p>CSRF check failed. Your form session may have expired, or you may not have cookies enabled.</p>
                  </body></html>* Connection #0 to host educafestival.koolfest.com left intact


I have tried different configurations of CSRF, the same with Curl, but nothing, it keeps on failing and the truth is that I am already desperate.

This is the Curl code from the platform that sends the request:

PHP Code:
$ch curl_init();
 $params http_build_query($params);
 curl_setopt($chCURLOPT_URL$url);
 curl_setopt($chCURLOPT_RETURNTRANSFER1);
 curl_setopt($chCURLOPT_POSTFIELDS$params);
 curl_setopt($chCURLOPT_SSL_VERIFYHOSTfalse);
 curl_setopt($chCURLOPT_SSL_VERIFYPEERfalse);
 if (strtoupper($method) == 'POST'curl_setopt($chCURLOPT_POSTtrue);

 curl_setopt($chCURLOPT_COOKIESESSIONtrue);
 curl_setopt($chCURLOPT_COOKIEJAR'/tmp/cookie.txt');
  curl_setopt($chCURLOPT_COOKIEFILE'/tmp/cookie.txt');

 $headers = [
 'Keep-Alive: timeout=100, max=100',
 'Connection: keep-alive'
 ];
 curl_setopt($chCURLOPT_HTTPHEADER$headers);

 // Verbose
 $file fopen('curl.txt''w+');
 curl_setopt($chCURLOPT_VERBOSEtrue);
 curl_setopt($chCURLOPT_FILE$file);
 curl_setopt($chCURLOPT_STDERR$file);

 if ($apiKey)
 {
 curl_setopt($chCURLOPT_HTTPHEADER, array(
 'Authorization: ' $apiKey
 ));
 }

 $resp curl_exec($ch);
 curl_close($ch);
 return $resp


And this is how I have configured the filter for CSRF, I even tried commenting it out.

PHP Code:
public array $globals = [
        'before' => [
            // 'honeypot',
            'csrf' => ['except' => ['api/*''index.php/api/*']],
            // 'invalidchars',
        ],
        'after' => [
            //'toolbar',
            // 'honeypot',
            // 'secureheaders',
        ],
    ]; 


Thanks in advance
Reply


Messages In This Thread
Problme with Curl request and CSRF protection - by son_link - 05-22-2024, 04:44 AM



Theme © iAndrew 2016 - Forum software by © MyBB