I've seen several articles about CSRF and token/tickets systems lately, saying that such systems were secure, while I always was against token systems. The reason is simple: such systems complicate your code and bring absolutely no additional protection. Good developers out there spending their time on tickets system would rather work on something else than waste their precious time like that " style="display: inline; vertical-align: bottom;" class="emoticon" />.

The point is that there is no CSRF. This is a name given to another extremely dangerous type of attack: XSS. What some brainless people called CSRF is just a particular way to exploit XSS and nothing more. However they didn't discover anything, they just put another name on something else (the same applies to AJAX in fact: the emergence of these terms are just the symptoms of a society that has become so stupid and uncreative that it tries to disguize recycling into progress).

Continue reading "There is no CSRF"