Viewed   99 times

The CSRF prevention method of using a token on the form for each session is a popular way. However, I don't get how this token way can protect if the file_get_contents of PHP can get contents of cross domain file form --> it can get the token on the form and use it also.

So how does this token way work?



If I understand your question well, you are imagining a possible exploit like this :

  1. Attacker creates a PHP page that will present a fake form to a target user
  2. Attacker's PHP script will do a file_get_contents to download a form(HTML) from target site he is trying to exploit, and scrap out the CSRF token from downloaded HTML, and add this CSRF token inside the fake form presented to the user.

  3. Unsuspecting user will submit the form and an unintended request will be executed in target site with in the context of this user's session.

  4. The CSRF check in target site will pass OK because we have a valid CSRF token in our request

But wait.. do we have a valid token? do we really! Not if the target site implements CSRF check the right way.

The session is the key here. When you execute file_get_contents to download a form from target site the request executes in the context of a session of its own, the file_get_contents process is the client there, and the CSRF token generated for that request will be(must be) valid only with in context of that particular session. Later, when the target user submits your fake form that request that request executes with in the context of that user's session which is different from the file_get_contents session, and thus the CSRK token will be rejected if the CSRF check is implemented by the target site in a proper way.

Here is a good article from OWASP to understand more about the recommended Synchronizer Token Pattern for prevention of CSRF

Sunday, August 21, 2022

A few years ago I benchmarked the two and CURL was faster. With CURL you create one CURL instance which can be used for every request, and it maps directly to the very fast libcurl library. Using file_get_contents you have the overhead of protocol wrappers and the initialization code getting executed for every single request.

I will dig out my benchmark script and run on PHP 5.3 but I suspect that CURL will still be faster.

Friday, December 16, 2022

In your url try:

http://user:[email protected]/ 

(append whatever the rest of the URL for your API should be)

Friday, November 4, 2022

PHP just cannot perform as fast as C, plain and simple.

Tuesday, October 4, 2022

as per the manual set ignore_errors to true:

$opts = array(
  'http' => array(
      'method' => "GET",
      'header' => "Accept-language: enrn",
      'ignore_errors' => true
Monday, December 26, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :