The Spanner logo
    • Home
    • Blog
      • Blog home
      • RSS
    • Login
    • Home
    • Blog
      • Blog home
      • RSS
    • Login
    The Spanner logo

    The Spanner
    Web security blog

    Made by Gareth Heyes
    Follow me on Twitter: @garethheyes

    Javascript for hackers!

    Hackvertor logo
    Shazzer logo
    My Github account
    Recent posts
    Introducing Feedworm: A Privacy-First RSS Reader That Lives in DevToolsSpeedy RSVP extensionAutoVaderHackvertor history and tag finderShadow Repeater v1.2.3 releaseBurp Hackvertor v2.1.24 releaseHacking roomsXSSing TypeErrors in SafarivalueOf: Another way to get thisMaking the Unexploitable Exploitable with X-Mixed-Replace on FirefoxThe curious case of the evt parameterCSS-Only Tic Tac Toe ChallengeRewriting relative urls with the base tag in SafariBypassing DOMPurify with mXSSNew IE mutation vectorHow I smashed MentalJSMentalJS DOM bypassAnother XSS auditor bypassXSS Auditor bypassBypassing the IE XSS filterUnbreakable filterMentalJS bypassesmXSSJava SerializationBypassing the XSS filter using function reassignmentRPOSandboxed jQueryX-Domain scroll detection on IE using focusEpic fail IEnew operatorDecoding complex non-alphanumeric JavaScriptHacking FirefoxDOM ClobberingBypassing XSS AuditorThe evolution of codeNon-Alpha PHP in 6-7 charsetTweetable PHP-Non AlphaMentalJS for PHPOpera x domain with video tutorialSandboxing and parsing jQuery in 100ms

    JSCK demo update

    By Gareth Heyes (@hackvertor)

    Published 18 years 7 months ago • Last updated March 22, 2025 • ⏱️ 2 min read

    ← Back to articles

    I believe in releasing code as early as possible and often. So I've released another version of JSCK, the code isn't a complete solution at the moment and is more of a proof of concept rather than a final version you can use on live sites but it highlights the method well and should provide good security against CSRF attacks.

    Thanks to everyone who provided feedback in particular Alex AKA kuza55, he raised some very good points and highlighted potential problems.

    New features

    1. 15 minute expiry dates on all tokens.
    2. Multiple tokens can be used at once.
    3. I've added support for assigning a class to a link and form to enable/disable the token protection.
    4. The system can now calls the code from a external file which makes the code cleaner.

    Bugs/Outstanding

    1. <strike>The random code generation sometimes produces a invalid key.</strike> (Should be fixed now)
    2. Disabled Javascript support needs to be added.
    3. Doesn't work in Safari (yet).
    4. Only tested working in Firefox.
    5. Referrer checking.
    6. JQuery plugin.
    7. Fix IE
    8. Rewrite JS into DOM code.
    9. Source cleanup and final release.

    Source code

    I was going to wait until I had completed the final version but to help those of you requesting the files with WGET, I've decided to release it early :) Please do not use this code on a live web server, the kit is currently in beta and shouldn't be considered live code.

    JSCK Source code

    New JSCK demo

    ← Back to articles