Login CSRF is a type of attack where the attacker can force the user to log in to the attacker’s account on a website and thus reveal information about what the user is doing while logged in.
What can happen?
The risk varies depending on the application and is hard to evaluate from a black-box perspective.
PayPal was once vulnerable to login CSRF and the attacker could make a user log in to the attacker’s PayPal account. When the user later on paid for something online, they unknowingly added their credit card to the attacker’s account.
Another, less obvious, example is a login CSRF that once existed in Google, which made it possible for the attacker to make the user log in to the attacker’s account and later retrieve all the searches the user had made while logged in.
If public registration for the application exists, the risk of attacks drastically increases as it’s very easy for the attacker to create an account and thus know the credentials for it.
Solution
<?php
if (isset($_POST["user"], $_POST["pass"]){
// Make sure the token from the login form is the same as in the cookie
if (isset($_POST["CSRFtoken"], $_COOKIE["CSRFtoken"])){
if ($_POST["CSRFtoken"] == $_COOKIE["CSRFtoken"]){
// code for checking the user and password
}
}
} else {
$token = bin2hex(openssl_random_pseudo_bytes(16));
setcookie("CSRFtoken", $token, time() + 60 * 60 * 24);
echo '
<form method="post">
<input name="user">
<input name="pass" type="password">
<input name="CSRFtoken" type="hidden" value="' . $token . '">
<input type="submit">
</form>
'
}
?>