On 02/10/2010 12:47 AM, Paweł Stradomski wrote: > All payment gateways I've dealt with used redirects (GET), not POSTs. So my > application would redirect to payment gateway page, it would do whatever it > needs and then redirect back to my page (there were also some direct server- > server requests that did not originate from the browser, but it's irrelevant). >
I haven't worked with many gateways. But those I work with currently use POST. The important thing is that the URL, or POSTed data, carries merchant id, private key, order id, amount, and a protective hash built from all of the above. The alternative is no redirect at all but server-to-server payment authorization only, so the users never leave your site. > And GET requests shouldn't be a threat from CSRF point of view, unless dev is > stupid enough to have a GET that has side effects (which it shouldn't). > GET is just easier to exploit because you can use images, don't need XSS or luring the user to a malicious site. CSRF is a case of confused deputy problem known in the 70s/80s. In my opinion > it stems exactly from the fact that browsers perform actions on users behalf > where they shouldn't (eg POSTing to arbitrary URLS without user's consent, > even though HTTP spec forbids such behaviour). > The browsers can't really tell if you wanted or not to click a particular link or send a particular POST. Clickjacking is perhaps an all too obvious exception where the browser need not be an AI to realize something is amiss. But the fact is still that stateless nature of HTTP allows for vulnerabilities that you can't protect with HTTP mechanisms alone. CSRF, session fixation, cookie hijacking, header splitting... Then again forget browsers. Let's say browsers are smart enough to prevent all that you say. What about malware (viruses) that instead of sending spam, POST data to naive apps that think browsers will protect users from doing critical or dumb things? The client is therefore irrelevant, it is the server that has to ensure the safety and validity of data received. Vlad -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
