Cross Site Request Forging (see http://en.wikipedia.org/wiki/Cross-site_request_forgery for more information) has been around for a while now. It misuses the trust of a web application that every request sent by the browser is wanted by its user.
Since the authors of our blog software are smart people, they implemented a CSRF protection. And not only them, even we not as smart PHProjekt developers implemented one.
There are three popular ways to protect your software against CSRF:
- using POST instead of GET
Another neat way to protect against CSRF, if there is no strange browser or proxy configuration that prevents the referrer header involved.
If the origin of a submission is from a different domain, don’t trust it.
- The token can be circumvented by a XHR request that reads the original form page and extracts the token form variable
- XmlHttpRequest.setRequestHeader(‚Referer‘, ‚http://targetdomain.com/spoofedreferer.php‘) allows you to set a fake header.
If you want to secure your application against CSRF, make sure that there are no XSS on your site, too.