Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"It's expected that I can send you a link to facebook.com. But it's not okay if I can send you a link that immediately deletes your account."


Isn't this easily mitigated by making all request that change state (update data in any way) as post requests?


No. Check out the example in the article, an attacker can make your browser submit a form with a POST request using JavaScript.

It's slightly harder to exploit, as the attacker can't just send you a link to facebook.com, but they can send you a link to example.com which has the form and uses JavaScript to submit the form.


The way CSRF works is that I put a form on evil.com that submits to example.com. If there's no CSRF protection, example.com will accept that form submission as if it had actually come from a page on example.com. GET/POST has nothing to do with it.


<form method=POST action=FACEBOOK><input name=DELETEMYACCOUNT></form>

<script>document.forms[0].submit();</script>

(The above code may contain bugs.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: