0
0
PHPprogramming~20 mins

CSRF attacks and token protection in PHP - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
CSRF Protection Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
Predict Output
intermediate
2:00remaining
What is the output of this CSRF token check code?

Consider this PHP code snippet that checks a CSRF token from a form submission. What will it output if the submitted token matches the session token?

PHP
<?php
session_start();
$_SESSION['csrf_token'] = 'abc123';
$submitted_token = 'abc123';
// Simulate form submission
$_POST['csrf_token'] = $submitted_token;
if (isset($_POST['csrf_token']) && $_POST['csrf_token'] === $_SESSION['csrf_token']) {
    echo 'Token valid';
} else {
    echo 'Token invalid';
}
AToken invalid
BSession not started error
CUndefined index error
DToken valid
Attempts:
2 left
💡 Hint

Check if the submitted token matches the session token exactly.

🧠 Conceptual
intermediate
1:30remaining
Which option best describes the purpose of a CSRF token?

What is the main reason web applications use CSRF tokens?

ATo verify that form submissions come from the legitimate user session
BTo encrypt user passwords before storing them
CTo speed up page loading by caching forms
DTo track user activity across different websites
Attempts:
2 left
💡 Hint

Think about how CSRF tokens protect against unauthorized form submissions.

🔧 Debug
advanced
2:30remaining
Why does this CSRF token check always fail?

Look at this PHP code snippet. It tries to check a CSRF token but always prints 'Token invalid'. What is the bug?

PHP
<?php
session_start();
$_SESSION['csrf_token'] = 'token123';
if ($_POST['csrf_token'] === $_SESSION['csrf_token']) {
    echo 'Token valid';
} else {
    echo 'Token invalid';
}
// Simulate form submission
$_POST['csrf_token'] = 'token123';
AThe session token is overwritten after the check
BThe $_POST['csrf_token'] is checked before it is set
CThe token comparison uses assignment operator instead of equality
DThe session is not started before accessing $_SESSION
Attempts:
2 left
💡 Hint

Check the order of operations and when $_POST['csrf_token'] is set.

📝 Syntax
advanced
1:30remaining
Which option contains a syntax error in CSRF token generation?

Which PHP code snippet will cause a syntax error when generating a CSRF token?

A$_SESSION['csrf_token'] = bin2hex(random_bytes(32))
B$_SESSION['csrf_token'] = bin2hex(random_bytes(32)); echo 'Token set';
C$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
D$_SESSION['csrf_token'] = bin2hex(random_bytes(32));;
Attempts:
2 left
💡 Hint

Look carefully for missing semicolons.

🚀 Application
expert
3:00remaining
How many items are in the CSRF token array after this code runs?

This PHP code stores multiple CSRF tokens for different forms in the session. How many tokens are stored in $_SESSION['csrf_tokens'] after running?

PHP
<?php
session_start();
$_SESSION['csrf_tokens'] = [];
for ($i = 1; $i <= 3; $i++) {
    $_SESSION['csrf_tokens']['form' . $i] = bin2hex(random_bytes(16));
}
unset($_SESSION['csrf_tokens']['form2']);
A1
B0
C2
D3
Attempts:
2 left
💡 Hint

Count how many tokens are added and then removed.