Page 1 of 1

CSRF Tokens

Posted: Sat Jan 27, 2007 4:51 am
by kaisellgren
Hi,

If I have a form that uses tokens to make sure the data is NOT submitted from any other form. Is it possible to cheat the script with JS?

Code: Select all

<?php
session_start();
if (isset($_POST["submit"]))
{
if (isset($_POST["token"]) && isset($_SESSION["token"]) && $_POST["token"] == $_SESSION["token"])
echo "we have used our own form!";
else
echo "we did not use our own form!";
}
else
echo "we haven't submitted any forms yet!";
$token = md5(uniqid(rand(),true));
$_SESSION["token"] = $token;
echo <<<TEXT
<form method="post">
blahblah...
<input type="submit" name="submit" />
</form>
TEXT;
?>
One guy is saying he can bypass that token check with simple JavaScript.

Here's what he said:
I prefer not to say how I can do things in a public place... It might give people bad ideas... But If I have my code running on my computer, it will still make the session, parse the token out of the page, and the submit stuff with that token there...

EDIT: The reason is because normally you can't script across domains... But like I said, unless you know what you're doing...
He's speaking <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> right?

Re: CSRF Tokens

Posted: Sat Jan 27, 2007 9:24 am
by Buddha443556
kaisellgren wrote:If I have a form that uses tokens to make sure the data is NOT submitted from any other form. Is it possible to cheat the script with JS?
The tokens are a safeguard and no safeguard is absolute, to paraphrase Shiflett. Your using $_POST that's good. Do your users have to authenticate themselves to use the form? That would limit any attacks to individuals. You might even require a password to submit the form if it's that important. You might want to add a session value for the token time, so you can judge the freshness of the request.

Check out http://www.shiflett.org for more information on the subject of CSRF Attacks and PHP security.