Is it possible to disable CSRF marker validation using file_get_contents in PHP?

Question

Is it possible to disable CSRF marker validation using file_get_contents in PHP?

A method for preventing CSRF from using a token in the form for each session is a popular way. However, I don’t understand how this token can protect if file_get_contentsPHP can get the contents of the form of the cross-domain file -> it can get the token in the form and use it as well.

How does this token work?

+4

security php csrf file-get-contents

todaf Apr 22 '15 at 4:46

source share

1 answer

rineez · Accepted Answer · 2015-04-22T05:42:41+0000

If I understand your question well, you imagine a possible exploit like this:

The attacker creates a PHP page that will present the fake form to the target user.
PHP script file_get_contents, (HTML) , , CSRF HTML CSRF , .
, .
CSRF , CSRF

.. ? ! , CSRF .

- . file_get_contents , , file_get_contents - , CSRF, , ( ) . , , , , file_get_contents, CSRK , CSRF .

OWASP, CSRF

Is it possible to disable CSRF marker validation using file_get_contents in PHP?

More articles: