NYCPHP Meetup

[felix zaslavskiy]

I recently read chris shiflett article on csrf attack in phparchetect and it got me thinking about prevention techinques. 

Chris refered to as  shared secret with a token that is stored in hidden field. I dont quite consider it to be shared secret but in any case there is easy way to get around it. 

-Attacker would first request a form on his own and receive a token.
-Then attacket will trick a user to use his form with the token that is retrived by himself earlier. 
-Attacker can retrive a valid token right before presenting fake form to user, so timeout of token wont prevent much.

I been thinking of a better solution but so far i have not come up with a perfect one but here is one i came up so far.

Every page will have a hidden token sent to it by server which can be put in a hidden filed.  It would be created something like this : 
$token= md5(SID . $server_secret . $randome_num);
echo "<input type="hidden" ... $token  >"
echo "<input type="hidden" ... $random_num >"

Client Browser then can use javascript to construct a authenication code for each url.
location.href= url + '?rn='+random_num +'&auc=' + md5(token+url+cookie_sid());

Server can easily verify auc but one cannot be calculated by anyone other then the server. Attacker can do a replay if he can get the urls of user from http logs. The attacker cannot though do a replay without knowing the sid of the user. So I think the csrf on its own is prevented. If its combined with xss or looking at logs then its cant prevent but still makes it more difficult.