Targeting form processing files on a different website

Question

Let's say i have a form <form action="delete_post.php" method="post">...</form> on my website: http://mysite.com and the file action/delete_post.php deletes the post with matches the id given in the form.

Can somebody try to delete random posts from my website by building a site with a form:

<form action="http://mysite.com/action/delete_post.php' method="post">...</form>

and passing along id's of posts he wants to delete [just for the fun of being evil or to inflict damage to a concurrent's website or whatever] ?

You could imagine a whole bunch of stuff someone could do targeting your form processing files like that, so do i need to secure my files against that sort of threats?

PS.: I am not affiliated with http://mysite.com

Answer 1

Yes, this type of attack is called a cross-site request forgery (CSRF), and many sites are vulnerable to it.

A common way to block this attack is to include a hidden input with a randomly generated form token (even just something like md5(microtime(true)) is sufficient). Keep a list of recent valid form tokens in the user's session, and destroy them once they're used (and only keep 5 or 10 of the most recent). Don't let that action complete if the user does not have a valid form token.