confirm.php
<?php
session_start();
$token= md5(uniqid());
$_SESSION['delete_customer_token']= $token;
session_write_close();
?>
<form method="post" action="confirm_save.php">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
Do you really want to delete?
<input type="submit" value=" Yes " />
<input type="button" value=" No " onclick="history.go(-1);" />
confirm_save.php
<?php
session_start();
$token= $_SESSION['delete_customer_token'];
unset($_SESSION['delete_customer_token']);
session_write_close();
if ($_POST['token']==$token) {
// delete the record
} else {
// log potential CSRF attack.
}
?>
Lets say we have a typical CSRF protection like this one
What if an attacket uses this code to bypass the csrf token?
//On any site
<img src="http://cia.teletubbies.com/csrf.php" height="0" weight="0"/>
//csrf.php
$cont = get_file_contents("http://cia.google.com/confirm.php");
// parse the html using [PHP Simple HTML DOM Parser][2] and get the CSRF token
//CURL and send a POST request to confirm_save.php with the token
This thing keeps bugging me, but im too lazy to try an attack on any random site. Isnt this is possible?
The example code was stolen from preventing csrf in php
Updated
What happens when someone wants to pass a token from one platform to another or from server side to the client side? Flash to PHP for instance, how could its secure from csrf?