Cross-Site Request Forgeries

By Deane Barker on October 22, 2006

Cross-Site Request Forgeries: An interesting article about a vulnerability that’s probably present in a lot of apps.

[…] cross-site request forgeries, a style of attack that lets an attacker send arbitrary HTTP requests from a victim user. That’s worth reading a couple of times, and it will likely not be until you’ve seen your first example attack that you can fully understand or appreciate the danger.

If you think about it, you can make anyone send a GET request anywhere. Just put an IMG tag in your HTML with the required URL.

There’s no rule that the SRC attribute has to point to an image. As the article suggests, it could point to a page that triggers the purchase of a thousand shares of stock. If the user loads the page, they send the request for that image automatically. Find a another site that they have an account on, and you could cause some mayhem.

Another reason to use POST for stuff, instead of GET. Blend has a policy of using POST for anything that changes data. GET is just for retrieving data.

Additonally, this article makes the point that you should explicitly check the POST instead of the more general REQUEST. So, in PHP:

$Value = $_POST['key'];

In ASP:

Value = Request.Form("Key")

Both languages have a general “request” object that will take the value from the GET or POST, depending on where it exists. This means that you’re letting the users substitute GET for POST, which isn’t a decision they should get to make.

Gadgetopia