CSRF Tokens
Posted: Sat Jan 27, 2007 4:51 am
Hi,
If I have a form that uses tokens to make sure the data is NOT submitted from any other form. Is it possible to cheat the script with JS?
One guy is saying he can bypass that token check with simple JavaScript.
Here's what he said:
If I have a form that uses tokens to make sure the data is NOT submitted from any other form. Is it possible to cheat the script with JS?
Code: Select all
<?php
session_start();
if (isset($_POST["submit"]))
{
if (isset($_POST["token"]) && isset($_SESSION["token"]) && $_POST["token"] == $_SESSION["token"])
echo "we have used our own form!";
else
echo "we did not use our own form!";
}
else
echo "we haven't submitted any forms yet!";
$token = md5(uniqid(rand(),true));
$_SESSION["token"] = $token;
echo <<<TEXT
<form method="post">
blahblah...
<input type="submit" name="submit" />
</form>
TEXT;
?>Here's what he said:
He's speaking <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> right?I prefer not to say how I can do things in a public place... It might give people bad ideas... But If I have my code running on my computer, it will still make the session, parse the token out of the page, and the submit stuff with that token there...
EDIT: The reason is because normally you can't script across domains... But like I said, unless you know what you're doing...