CSRF Forms - You can change the token?
Question
Just wanted to ask a general question regarding PHP & HTML Forms with CSRF tokens, so you generate a random token and store it in the session variable in PHP and output as hidden field in HTML form.
But am I right in saying that, if we have in this case:
- 1 person named Bob viewing
secureform.phppage - Same person viewing
badform.phppage
If Bob went to the badform.php page and a token was generated, and then they go to secureform.php and get the token from the secureform.php and put that into the badform.php via inspect element and submitted it, that right there is a way to bypass CSRF correct?
Can I have some feedback on if this would work and how to prevent such things like this happening? If it makes sense, if not let me know, thanks!
1 answers
solution1
3 2018-05-01 20:56:37
Bob may well be doing something that you don't want, but it is not the thing that CSRF tokens are meant to protect against.
A Cross Site Request Forgery version of the same scenario world be someone else (call them Eve) tricking Bob into submitting badform.php . Since Eve controls the contents of the form, but Bob submits it with his session cookie or other authentication information, Eve can perform actions that only Bob is authorised to do.
However, if the form requires an extra CSRF token, Eve doesn't have access to this token , so when they trick Bob into submitting the form, it's rejected. The only way Eve can get the form to validate is to trick Bob into copying a valid token from secureform.php, which is much harder than tricking them into submitting the form.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.