GET urls with side effects can be a security problem.
GET urls with side effects can be a security problem. For example, imagine the following urls: paymoney?user=joe&amount=3000.0 deleteSomething?file=important.xls Now if those urls are protected by a login system, then only those who login can use them right? Nope. It is easy enough to trick someone into visiting a web page so that those urls are called by their web browser. If that person is logged in when they are tricked, then the action happens. A person can be tricked either by using img, frame, redirect or some other tags or http/html/flash/javascript features. This is because according to a web browser it is ok to include or link to elements on other pages. In fact that's the whole point of hyper linking. In this way it uses the authorization of person viewing your well crafted page. You can now create a page so that you can delete files as someone else, or pay any amount of money you want to anyone. Whatever the badly designed GET urls allow you to do. This can eve...