* Carl Johnstone <catal...@fadetoblack.me.uk> [2009-01-22 12:55]: > Aristotle Pagaltzis wrote: > > <img src="http://yourapp.example.org/addressbook/delete/all"> > > > > into a page they control and then send a link to that page to > > your users. If you allow destructive actions on GET, you have > > just allowed for your users to be screwed over through no > > fault of their own. > > Note that using POST rather than GET doesn't protect you from > this specific problem - it's still possible to form a CSRF > request with a POST action.
Yeah, but POST-based CSRF isn’t as cheap – you have to trick the visitor into clicking a button or you have to set up the CSRF attack in a place where you can put Javascript in the page. This means you have to put some effort into it. Exploiting non-idempotent-GET-based CSRF is extremely cheap. It is so cheap that it any prankster can do it within 2 minutes. A comment on a weblog that allows images in comments will do. A comment on a LiveJournal posting will do. Shrouding the URL with TinyURL or other shortening services and posting it to Twitter or IRC will do. And on and on. Avoiding GET for non-idempotent actions doesn’t make it difficult to launch CSRF attacks, but it drastically reduces the number of venues that can serve as attack vectors, and so excludes most random pranksters from the pool of potential attackers. It also avoids a lot of potential for accidental data loss due to various kinds of programmatic agents. It’s just good web app hygiene. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/> _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/