Home / Questions / 185206
Accepted
Eduardo
Asked: 2020-08-01 06:55:21 +0800 CST 2020-08-01 06:55:21 +0800 CST

Prevent access to an external website if it is not redirected from my site

  • 772

A website had an external website linked by a iframe, for example:

example.com/hls/archive.php?token=f4290354ed8529245633fd8266a8238c44e4ef5aa87d50ff16

I liked that content and linked it on my website, but it didn't show me the data after analyzing your website one after another I realized that my URL where the iframecontent was had to add this:

misite.com/iframe.php?noimportaesto=example.com

The domain taken by $_get= =example.comwas the key token f4290354ed8529245633fd8266a8238c44e4ef5aa87d50ff16to access the content.

From there, my idea is born to block the access of each topic that my content subdomain has (ex. view.site.com/contenido1.php) block access if it enters with an tokenexpired or invalid one, and if that is the case show a warning message communicating that you will be redirected in xseconds to another website.

But access to the content must be unique, only for that user, that is, they cannot share the generated link with the token, and if they do, the content is not displayed.

And that this tokengenerated is only valid for the content that was redirected from the domain example.comto the content: that only that URLview.site.com/contenido1.php allows access , if you try to access other content , that is not valid, you must always generate a from the domain to access to said or other content.contenido2.phptokenexample.com

If the security of is broken token cookieor is not found, it simply becomes false, and if it exists it becomes true.

The token will be generated using new PHP technology , including the use of: bin2hex(random_bytes)orbin2hex(openssl_random_pseudo_bytes) .

No use of database or use of .htaccess, the tokenonly one must be saved in one cookieand must expire within 4 hours.

So far I can generate a token, but I don't know how to validate it with the comments:

<?php
  //http://php.net/manual/es/function.phpversion.php
  //echo 'Versión actual de PHP: ' . phpversion();

  session_start();
  $expiry_timestamp = time() + $expiry;
  //https://davidwalsh.name/random_bytes //https://secure.php.net/random_bytes
  //$token = bin2hex(random_bytes(64)); //Disponible apartir de PHP V 7.
  $token = bin2hex(openssl_random_pseudo_bytes(64));
  $time_token = 12000;
  $time_token = srand(floor(time() / $time_token));
  //echo $token;
  $_SESSION['token']=$token;
?>
<html>
    <head>
    </head>
    <body>  
        <a href= "view.site.com/contenido1.php?token=<?php echo $_SESSION['token']; ?>">Contenido 1</a>
    </body>
</html>

I do not understand very well how this process would work, can you explain the subject better to me. tokenI must work something similar Deactivate session after a while only that instead of sesiónusing one cookiethat matches the tokenonly one generated for that user, taking the domain and subdomain as reference keys.

Font:

php

3 Answers

  1. Best Answer

    After the chat, the conclusion is as follows:

    • In order for the user to accesswww.mipagina.com/seccion1, www.mipagina.com/seccion2, www.mipagina.com/seccion3,etc
    • First you must go through www.miotrapagina.com/generarTokenand select which section you want the token to

    On the page that generates the token, the form is used to send the parameters seccionand tokenin POST format and thus keep the data safe and out of sight

    generarToken.php:

    <form id="myForm" action="www.miotrapagina.com/validarToken.php?Secreto24A" method="post">
    <?php
        $seccion = $_GET["seccion"]; 
        $token = bin2hex(random_bytes(64));
        echo "<input type=\"hidden\" name=\"seccion\" value=\"$seccion\">";
        echo "<input type=\"hidden\" name=\"token\" value=\"$token\">";
    ?>
</form>
<script type="text/javascript">
    document.getElementById('myForm').submit();
</script>

    On the other page where you only want to access via the token in the cookie, you will first have to set that token for the section so:
    validarToken.php:

    // Te aseguras que solo lo que redirijas con la clave pueda acceder a este archvio,
// sino lo sacas fuera
$origen = $_SERVER['REQUEST_URI']; 
if($origen!= "/validarToken.php?Secreto24A"){
   header("location:../");
}

// Obtienes las 2 variables post que tienen la seccion y el token a establecer
$seccion = $_POST["seccion"];
$token = $_POST["token"];


//Obtienes el la hora acutual y le sumas 4 horas
$time = 'Tue May 15 10:14:30 +0000 2012';
$horaExpiracion = new DateTime($time);
$horaExpiracion->modify('+ 4 hour');

// Inicias la session y estableces en el array secciones, la sección 
// activada y su fecha de expiracion
session_start();
$_SESSION["secciones"][$seccion] = ["token" => $token,
         "horaExpiracion"=>$horaExpiracion];

// Despues finalmente lo llevas a inicion
header("location:../");

    At this point the user has a cookie in which he has one seccionwith a unique token.

    The only thing left is to add a few lines of code in all the sections that you want to protect by token :

    $seccionActual = "Seccion1"; // EL nombre de la seccion donde esta este codigo;
session_start();

// Obtienes el array que contiene las secciones y sus tokens del usuario
$secciones = $_SESSION["secciones"];
$exite = false;

// Compruebas si tiene token de esa sección
foreach ($secciones as $nombreSeccion => $datos) {
    if($nombreSeccion == $seccionActual){
    $existe = true;
}
if(!$existe){
   // Dirección a algún sitio si no tiene el token de esta sección
   header("location:  ");
}

// Obtienes la hora en la que expira el token de esta seccion
$horaExpiracion = $secciones[$seccionActual]["horaExpiracion"];

// Variable con la hora actual
$time = 'Tue May 15 10:14:30 +0000 2012';
$horaActual = new DateTime($time);
if($horaActual > $horaExpiracion){
   // Redireccion a algun sitio si el token esta expirado
   header("location: /seccion1.php  ");
}

// Si ha llegado hasta aqui significa que el token es correcto
// y todavia no ha expirado, por lo tanto:
// TU CODIGO...

    Explanation of operation

    1. To generate a token in www.mipagina.commust access to www.mipagina.com/gerarTokne.php?seccion=seccionInicialwhich has to have a parameter sección .
    2. This file phpwill generate a token for said section and through the form it will redirect the user to the other page through a POST, thus sending the section and the token securely.
    3. On the other page, the file validarToken.phpwill receive the requests POSTand will add another section to the variable $_SESSION["secciones"]that contains an array, in which it will establish an expiration date for said token. When finished, it will redirect the user to the section having the token already validated.
    4. The verification code must be established at the beginning of each section, in this way it will check if the token and the time are correct and if it turns out not to be, it will redirect you from the selection to another selected site.

    It has a small security hole since when the file generarToken.phpcreates the form, in the developer tools the values ​​are visible for a few milliseconds. Even so, the redirection to this page and the time it takes to get you out of it is very small for users to find out and in any case the biggest problem would be that a user could see what their token is for the section but in no case validate it himself or weigh it to someone to use it since the next file would reject it.

    • 4

  2. Edit to use safer techniques.

    To generate tokens (hmacs) based on shared keys with expiration time, this algorithm can be used:

    envia_hmac.php

    <?php
date_default_timezone_set("UTC");
define('APP_KEY', "952e61a5f7bec82d01cc98493abb08c47eadcb901c0c8950937fd05c3fa3cd2f");

/****************************************/

define('APP_DEFAULTS_ALGORITHM', 'sha256');
function firmaCosas(
  $cosas = array(),
  $firma = NULL,
  $algo = APP_DEFAULTS_ALGORITHM
){
  $resultado = NULL;
  if(
    !empty($cosas) &&
    !empty($firma)
  ):
    $resultado = hash_hmac($algo, implode( ".", $cosas ), $firma);
  endif;
  return $resultado;
}

/****************************************/

$msg = "algo para mostrar";
$timestamp = time();

$firma = firmaCosas(array($msg, $timestamp), APP_KEY);
?>
<form method="get" action="recibe_hmac.php">
  <input type="hidden" name="firma" value="<?php echo $firma; ?>" />
  <input type="hidden" name="timestamp" value="<?php echo $timestamp; ?>" />
  <input type="hidden" name="msg" value="<?php echo $msg; ?>" />
  <textarea name="texto">
  </textarea>
  <input type="submit" value="enviar"/>
</form>

    recibe_hmac.php

    <?php
date_default_timezone_set("UTC");
define('APP_KEY', "952e61a5f7bec82d01cc98493abb08c47eadcb901c0c8950937fd05c3fa3cd2f");

/****************************************/

define('APP_DEFAULTS_ALGORITHM', 'sha256');
function firmaCosas(
  $cosas = array(),
  $firma = NULL,
  $algo = APP_DEFAULTS_ALGORITHM
){
  $resultado = NULL;
  if(
    !empty($cosas) &&
    !empty($firma)
  ):
    $resultado = hash_hmac($algo, implode( ".", $cosas ), $firma);
  endif;
  return $resultado;
}

/****************************************/

define('MINUTOS', 15);

// Si tenemos firma y timestamp
if (
  !empty($_GET['firma']) &&
  !empty($_GET['timestamp'])
) :
  // recreamos la firma juntando mensaje y timestamp usando nuestro APP_KEY
  $msg = !empty($_GET['msg'])?$_GET['msg']:'';
  $timestamp = $_GET['timestamp'];
  $mifirma = firmaCosas(array($msg, $timestamp), APP_KEY);

  // calculamos la diferencia entre el timestamp recibido y el actual
  $mitimestamp = time();
  $dateFormat = DATE_ATOM;
  var_dump(
    "actual : " . date($dateFormat, $mitimestamp),
    "emitido: " . date($dateFormat, $timestamp),
    "validez: " . date($dateFormat, $timestamp + MINUTOS * 60 ),
    "$mitimestamp > ( $timestamp + " . MINUTOS. " * 60 )", $mitimestamp > ( $timestamp + MINUTOS * 60 ),
  );
  // si han pasado mas de x segundos (MINUTOS * 60)
  // también expresable como:
  // if ($mitimestamp - $timestamp - MINUTOS * 60 > 0)
  if( $mitimestamp > ( $timestamp + MINUTOS * 60 ) ) :
    die("CUAK! el token ha expirado"); // el token ha expirado
  endif;

  // comparamos si las dos firmas son iguales
  if (
    hash_equals(
    $mifirma,
    $_GET['firma'])
  ) :
    // OK imprimimos
    var_dump( "GET:", $_GET );
  else :
    die("CUAK! la firma no es válida"); // la firma no es válida
  endif;
else :
  die("CUAK! faltan campos"); // faltan campos
endif;

    Differences with the simple version:

    • the token/hash is generated using hash_hmac in this way a hash derived directly from the key is not used but two passes are made generating internal and external keys, in the first pass a hash is generated with the message and the internal key, the second pass takes this hash and generates the final hmac with the foreign key, providing better immunity against length attacks.

    • the hash algorithm used in this example is sha-256, the full list of supported algorithms is given by the hash_hmac_algos function

    • the message is built from an array of two public fields: timestamp (to calculate the expire) and the text to send (if either of the two changes, the signature is invalid)

    • The comparison of the received hash against the hash that we generated from the data and our version of the key is done with the hash_equals function that protects against timing attacks.

    ** It is possible to generate two hashes and that one only has a verifiable public part, the second hash depends on the first and includes other information, in this way there is another shared secret that can indicate a resource, an extra token that is exchanged behind ( server to server, sockets, shared filesystem, etc...), or an allowed action, current section, etc... (if the hmac with public component is valid, so will the second one)

    plain version with md5 hash

    In both domains you have defined the secret key

    $APP_SECRET_KEY = "laclavesupersecreta";

    create token code:

    $timestamp = time();
$signature = strtoupper(md5($timestamp . $APP_SECRET_KEY));

$token = $timestamp."x".$signature;

echo ("Token:".$token.PHP_EOL);
echo ("timestamp:".$timestamp.PHP_EOL);
echo ("signature:".$signature.PHP_EOL);

    code verify token :

    // simulo un retraso por si lo metes todo en un solo script
sleep(5);
// recupero el timestamp y el hash
$destoken = explode('x', $token);
$time = $destoken[0];
$hash = $destoken[1];

// saco la diferencia de tiempos para expirar el token
$timeDiff = time() - $time;
// reconstruyo el token con mi versión de la clavesecreta
$signature = strtoupper(md5($time . $APP_SECRET_KEY));



if ($timeDiff > 4 * 60 * 60) :
  // si hay mas de 4 horas de diferencia
  echo "ERROR ERROR PASó MUCHO TIEMPO".PHP_EOL;
  die("token expirau");
endif;



if ($signature !== $hash ) :
  // los hashes no coinciden
  echo "ERROR ERROR EL TOKEN NO SIRVE".PHP_EOL;
  die("token no válido");
endif;


echo "A PARTIR DE AQUÍ ESTA TODO BIEN".PHP_EOL;

echo ("Token:".$token.PHP_EOL);
echo ("timeDiff:".$timeDiff.PHP_EOL);
echo ("signature:".$signature.PHP_EOL);

    You can pass this token through get, post, put in a cookie, etc. The hash method in this case I put md5 but you can use the one you want. I use a separator xbut if you generate the timestamps with padding it would not be necessary, you can also change the order, insert characters, etc.

    The key is hashed, it is never (de)encrypted.

    For example:

    In dominio.comgenerating the links that include the token, wave: sub.dominio.com/pagina-que-no-se-muestra-si-no-hay-token-valido?token=1533076524x2923B7A49999D4AA216CEBC1D7CB9A14

    Here the token is being sent by getand you would receive it by get:

    On the destination page, if it $_GET['token']is empty or the token is invalid, you do not show the page.

    On other pages you can use the same password, or a different password per page.

    • 2

  3. you do it with a post, and the value can be a $_SESSION that comes from the DB, so when it arrives at your site it verifies that the post exists and that it is also the same as the one in the db, for greater security you can encrypt information before send so users will not know what parameter they are sending

    • 1