[Catalyst] Re: REST - like uri design for CRUD

Aristotle Pagaltzis pagaltzis at gmx.de
Wed Jan 23 03:22:10 GMT 2008


* Peter Karman <peter at peknet.com> [2008-01-23 03:50]:
> In my apps, I do server-side auth checks to verify that users
> can't act on data they should not have access to.

Peter, meet XSRF. XSRF, meet Peter.

:-)

My point with `<img src="/foo/delete">` was that an attacker
tries to get an authenticated and authorised user to visit a
page which contains that tag.

Or maybe an authenticated and authorised user has software like
the Google Web Accelerator installed.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>



More information about the Catalyst mailing list