CSRF Tokens

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

CSRF Tokens

Post by kaisellgren »

Hi,

If I have a form that uses tokens to make sure the data is NOT submitted from any other form. Is it possible to cheat the script with JS?

Code: Select all

<?php
session_start();
if (isset($_POST["submit"]))
{
if (isset($_POST["token"]) && isset($_SESSION["token"]) && $_POST["token"] == $_SESSION["token"])
echo "we have used our own form!";
else
echo "we did not use our own form!";
}
else
echo "we haven't submitted any forms yet!";
$token = md5(uniqid(rand(),true));
$_SESSION["token"] = $token;
echo <<<TEXT
<form method="post">
blahblah...
<input type="submit" name="submit" />
</form>
TEXT;
?>
One guy is saying he can bypass that token check with simple JavaScript.

Here's what he said:
I prefer not to say how I can do things in a public place... It might give people bad ideas... But If I have my code running on my computer, it will still make the session, parse the token out of the page, and the submit stuff with that token there...

EDIT: The reason is because normally you can't script across domains... But like I said, unless you know what you're doing...
He's speaking <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> right?
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Re: CSRF Tokens

Post by Buddha443556 »

kaisellgren wrote:If I have a form that uses tokens to make sure the data is NOT submitted from any other form. Is it possible to cheat the script with JS?
The tokens are a safeguard and no safeguard is absolute, to paraphrase Shiflett. Your using $_POST that's good. Do your users have to authenticate themselves to use the form? That would limit any attacks to individuals. You might even require a password to submit the form if it's that important. You might want to add a session value for the token time, so you can judge the freshness of the request.

Check out http://www.shiflett.org for more information on the subject of CSRF Attacks and PHP security.
Post Reply