Are we really CSRF protected?

Question

Are we really CSRF protected?

confirm.php

<?php
 session_start();
 $token= md5(uniqid());
 $_SESSION['delete_customer_token']= $token;
 session_write_close();
?>
<form method="post" action="confirm_save.php">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
Do you really want to delete?
<input type="submit" value=" Yes " />
<input type="button" value=" No " onclick="history.go(-1);" />

confirm_save.php

<?php
 session_start();
 $token= $_SESSION['delete_customer_token'];
 unset($_SESSION['delete_customer_token']);
 session_write_close();
 if ($_POST['token']==$token) {
   // delete the record
 } else {
   // log potential CSRF attack.
 }
?>

Suppose we have a typical CSRF protection like this. What if the attacker uses this code to bypass the csrf token?

//On any site
<img src="http://cia.teletubbies.com/csrf.php" height="0" weight="0"/>

//csrf.php
$cont = get_file_contents("http://cia.google.com/confirm.php");
// parse the html using [PHP Simple HTML DOM Parser][2] and get the CSRF token
//CURL and send a POST request to confirm_save.php with the token

This thing holds me, but I'm too lazy to try to attack any random site. Is it impossible?

Example code was stolen from csrf prevention in php

Update

What happens when someone wants to transfer a token from one platform to another or from the server side to the client side? For example, Flash for PHP, how can it be protected from csrf?

+5

security php xss csrf csrf-protection

kornesh Aug 3 '11 at 15:57

source share

2 answers

CSRF , .

csrf.php , , CSRF.

+2

Søren Løvborg 03 . '11 16:03

Chris Hepner · Accepted Answer · 2011-08-03T16:04:13+0000

CSRF , , . , . ( , CSRF!)

, , , CSRF CSRF.

Are we really CSRF protected?

More articles: