{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 \"骚年 ilove 的问题《Stopping Bot [SO] - PHP》','https://www.manongdao.com/q-854030.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I saved this code in index.php and after filling i clicked Submit button, and then a verification page was shown to me !
My question is how did it detected that it was not from the original server ?
[i hope they do not use the referrer as it can be disabled easily]
My Fake Code
<html>
<form id="post-form" action="http://stackoverflow.com/questions/ask/submit" method="post">
<input id="title" name="title" type="text" maxlength="300" tabindex="100" class="ask-title-field" value="">
<textarea id="wmd-input" name="post-text" cols="92" rows="15" tabindex="101"></textarea>
<input id="tagnames" name="tagnames" type="text" size="60" value="" tabindex="103">
<input id="submit-button" type="submit" value="Post Your Question" tabindex="120">
</form>
</html>
Can anyone guide me creating such secure page [where if a user tries to post from a dull page, he will be asked for verification] ?
I suspect that this is what
<input id="fkey" type="hidden" value="..." name="fkey">on the question submission form is for.You can create an anti-XSRF token without the element of having to remember them all on the server.
You can do this by putting the information you want to verify inside the token, typically including:
then hash this information together with a secret key and spit it out in the hidden field. When the token comes back in, you can look at the information given, hash it with the key again and see if the hash matches the user's submission.
So for example, for user ID 18936 with expiry timestamp 1304861680 (Unix time for about now), you could create a token like:
where 2A956E39 is some random salt, and the bit at the end is the hex-encoded HMAC-SHA1 hash of
18936.1304861680.2A956E39using the not-very-good secret keysecretkey.This achieves the anti-XSRF purpose, but sometimes the one-time-server-stored-token is also used to prevent a form double-submission. As-is, the hash method doesn't help with that bit. But in the specific case of creating a new entity, which is a common place double-submission-prevention is deployed, you can use the token as a unique value inserted into the DB as part of the new entity, and then refuse to create a new entity if there's already one with the token in it.