CSFR tokens
-
Can some explain what CSFR tokens are and where the following Javascript that seems to be at the bottom of pages on my site is a worry i.e. my site’s been hacked:
<script language="JavaScript"> var tokenName = 'CSRF_TOKEN'; var tokenValue = 'xxxxxxxxxxxxxxxxx'; function updateTags() { var all = document.all ? document.all : document.getElementsByTagName('*'); var len = all.length; for(var i=0; i<len; i++) { var e = all[i]; updateTag(e, 'src'); updateTag(e, 'href'); } } function updateForms() { var forms = document.getElementsByTagName('form'); for(i=0; i<forms.length; i++) { var html = forms[i].innerHTML; html += '<input type=hidden name=' + tokenName + ' value=' + tokenValue + ' />'; forms[i].innerHTML = html; } } function updateTag(element, attr) { var location = element.getAttribute(attr); if(location != null && location != '' && isHttpLink(location)) { var index = location.indexOf('?'); if(index != -1) { location = location + '&' + tokenName + '=' + tokenValue; } else { location = location + '?' + tokenName + '=' + tokenValue; } element.setAttribute(attr, location); } } function isHttpLink(src) { var result = 0; if(src.substring(0, 4) != 'http' || src.substring(0, 1) == '/') { result = 1; } return result; } updateTags(); updateForms(); </script></html>
I’ve replaced the token with x’s. This code appears after the closing HTML tag and then a new HTML tag is open with this JS.
Can anyone advise?
[Moderator Note: Please post code or markup snippets between backticks or use the code button. As it stands, your code may now have been permanently dmaged/corrupted by the forum’s parser.]
- The topic ‘CSFR tokens’ is closed to new replies.