I've just finished a prototype of my new project JSCK
http://www.thespanner.co.uk/2007/10/19/jsck/

Can anyone pass the test and perform CSRF on the demo?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

New update available now:-
http://www.thespanner.co.uk/2007/10/22/jsck-demo-update/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

hmmmmm. ok couple of points (I use something similar/not so similar on my own sites)

caveat (requiring javascript & POST's)

1. If you are using javscript then why even bother placing the form into the page? It only provides the bot with a form to post. Instead use the document.write or create function to output your form onto the page (this way it requires the bot to retrieve the js file - you can then add some better logic into the generation script so you can mask the form data so the bot can't regonise from the source anyway)

2. If you are using javascript then why not remove the action element and instead only place it into the form using javascript when the onsubmit event is fired. This way the bot doesn't know where to post to.

Finally, of course there any much tougher ways to even implement more security into the design but for now I leave it at that.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

@digi7al64

This isn't a single protection on one site, it is intended to be used by simply including Javascript on any page and it will protect all links and forms on that page. I want to accommodate users with no javascript by displaying a confirmation form. Of course a PHP based system with more security would be more secure however this kit was intended to be pluggable easily into any PHP site even by a novice programmer.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]