leonardini / brontosaurus
PHP security auditor for websites
Installs: 1 340
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 0
Forks: 0
Open Issues: 3
Requires
- symfony/yaml: ^4.2 || ^5.0
Requires (Dev)
- phpunit/phpunit: ^8.1 || ^9.0
This package is auto-updated.
Last update: 2024-01-29 03:20:47 UTC
README
Brontosaurus 
Brontosaurus is a security tool for your PHP website.
Current features include:
- Form tokens validation
Table of Contents
Installation
The easiest way to install Brontosaurus is with Composer:
composer require leonardini/brontosaurus
If you prefer you can download the latest release and manually add the files to your project. Keep in mind that this is discouraged as you won't be able to easily update the library.
WARNING: Make sure to
require_onceevery file inside thesrcfolder
Getting Started
NOTICE: this tutorial assumes that you've installed Brontosaurus using Composer, if you haven't you can still follow this, but some parts would be different
To be able to use Brontosaurus you have to require_once the autoload.php file inside Composer's vendor folder.
require_once("vendor/autoload.php");
This is actually the only thing you need to do to get Brontosaurus and all its tools up and running. For an usage example see the next section about Form Tokens
Form Tokens
When your website has a form, you usually want to receive submissions only from your legit page and not from other sources, such as unauthorized third-parties services.
Keeping in mind that this problem cannot be completely solved, Brontosaurus has a nice tool to help you make your forms a little bit more secure.
This works by generating a hidden random token every time the form page is loaded. The token is than sent to the server together with the form data and checked if its the same one saved in session. The user could have multiple browser tabs opened and to support that the last 20 tokens are saved in session (that number is customizable, check the configuration section).
The code you need on the form page is the following:
// It is extremely important that a descriptive form name is provided as parameter, because tokens must be strictly linked to every form of your website $token = \Brontosaurus\FormToken\generateToken("form_name"); // The token must be sent to the server in a 'form_token' parameter, for security only POST request are supported echo "<input type=\"hidden\" name=\"form_token\" value=\"$token\">"; // The form name must be sent in a 'form_name' parameter, too echo "<input type=\"hidden\" name=\"form_name\" value=\"form_name\">";
To check the validity of the token you will use:
$validation = \Brontosaurus\FormToken\validateToken("form_name"); if($validation->isSuccessful()) { // The token comes from your form } else { // The token has not passed the check }
Major info about the validation process could be obtained with $validation->getCode(). Give a look to ValidationCode enum.
Configuration
Brontosaurus can be configured through a yml file. To load the config file use
\Brontosaurus\Config::loadFromFile(__DIR__."/config.yml");
You can also unload your custom configs (default ones would be restored)
\Brontosaurus\Config::unloadConfig();
This is an example config file:
form_token: maximum_tokens: 40