http://www.lewanzu.com/2016/04/08/input-bypasscsrf/index.htm