[Catalyst] Re: how to confirm before deleteing

Aristotle Pagaltzis pagaltzis at gmx.de
Thu Jan 22 23:48:22 GMT 2009

* Carl Johnstone <catalyst at fadetoblack.me.uk> [2009-01-22 12:55]:
> Aristotle Pagaltzis wrote:
> >     <img src="http://yourapp.example.org/addressbook/delete/all">
> >
> > into a page they control and then send a link to that page to
> > your users. If you allow destructive actions on GET, you have
> > just allowed for your users to be screwed over through no
> > fault of their own.
> Note that using POST rather than GET doesn't protect you from
> this specific problem - it's still possible to form a CSRF
> request with a POST action.

Yeah, but POST-based CSRF isn’t as cheap – you have to trick the
visitor into clicking a button or you have to set up the CSRF
attack in a place where you can put Javascript in the page. This
means you have to put some effort into it.

Exploiting non-idempotent-GET-based CSRF is extremely cheap. It
is so cheap that it any prankster can do it within 2 minutes. A
comment on a weblog that allows images in comments will do. A
comment on a LiveJournal posting will do. Shrouding the URL with
TinyURL or other shortening services and posting it to Twitter
or IRC will do. And on and on.

Avoiding GET for non-idempotent actions doesn’t make it difficult
to launch CSRF attacks, but it drastically reduces the number of
venues that can serve as attack vectors, and so excludes most
random pranksters from the pool of potential attackers. It also
avoids a lot of potential for accidental data loss due to various
kinds of programmatic agents. It’s just good web app hygiene.

Aristotle Pagaltzis // <http://plasmasturm.org/>

More information about the Catalyst mailing list