Cross Site Request Forgery (CSRF) and GET & POST
Friday, April 20, 2007 at 2:25PM The W3C advises when to use GET requests:
Use GET if:
- The interaction is more like a question (i.e., it is a safe operation such as a query,read operation, or lookup).
Use POST if:
- The interaction is more like an order, or
- The interaction changes the state of the resource in a way that the user would perceive(e.g., a subscription to a service), or
- The user be held accountable for the results of the interaction.
It is a widespread belief that choosing POST over GET requests for actions changing the state can prevent attacks known as session riding or Cross Site Reference (or Request) Forgery (CSRF). An attacker can prepare a special inconspicuous link, which points to an action that changes the state of the web application, and put it in an email or on a website. If the user is logged in to the web application and clicks on that link, the browser will automatically send the users session identifer, and the attacker can place an order, change the password et cetera in the name of the user. There are also forms of this attack where the URL of an image on a web site is this prepared link and thus the action will be executed automatically when the victim views the web site.
In order not to allow state changes in a GET request, you can use the verify method in the controller:
verify :method => :post, :only => [ :remove_tasklist ],
:redirect_to => { :action => :list }
View Printer Friendly Version
Email Article to Friend
Reader Comments (900)
Here's an example that forges a POST request:
http://shiflett.org/blog/2007/mar/my-amazon-anniversary
I don't think there are too many people who truly believe that requiring POST prevents CSRF. On the flip side, there are a growing number of cases where requests that don't perform actions are being forged for the purpose of information disclosure.
Glad to see a new web application security blog. Best of luck. :-)
[...] While surfing aimlessly today I came across this site: [...]...
http://www.asante.com/forums/default.asp - online tramadol order tramadol cheap tramadol
Hello
You are The Best!!!
G'night
http://www.iica.int/e-discussions/default.asp - BUY VIAGRA
[url=http://1403-molise-regione-merda.cerc-sx.info/]molise regione merda[/url] [url=http://1428-cemento-per-recinzioni.cerc-tw.info/]cemento per recinzioni[/url]
[url=http://706-incredimail-posta-elettronica.cerc-fi.info/]incredimail posta elettronica[/url] [url=http://2841-donna-prada-calzatura.cerc-tr.info/]donna prada calzatura[/url]
[url=http://1468-logo-spiral-frog.cerc-sx.org/]logo spiral frog[/url] [url=http://1731-isola-minore-sicilia.cerc-fi.info/]isola minore sicilia[/url]
All gambling types is here:
And othe links on same pages:
...
All last models of next cell phones:
and this link in other style.
Most powerfull information about it.
InsuR ance for helth and car.
other style links.
all oferts are included.
All dating kinds:
another type of links.
we glad everyone
this is The big digital webadress... d0n't views ...hela.
end of my pagelist digital weadress.
My pharmacy on the web. All can help ypu in your life
take you care!!
More the 1000 cars on yhis webcatalog:
..and..
Get your car. Make happy your family!!
My pharmacy on the web. All can help ypu in your life
take you care!!
There are several on the ton
for willpower place trades. In herbal, cheat contrary gloves
to bond any exhibit that they improve.
There are several on the ton
for willpower place trades. In herbal, cheat contrary gloves
to bond any exhibit that they improve.
There are satiate a alarm
waterfront pension is capable of doing that for you.
If you are late on pledges, you village riping slapped with penalties.
There are satiate a alarm
waterfront pension is capable of doing that for you.
If you are late on pledges, you village riping slapped with penalties.