GET urls with side effects can be a security problem.

GET urls with side effects can be a security problem.

For example, imagine the following urls:

paymoney?user=joe&amount=3000.0
deleteSomething?file=important.xls

Now if those urls are protected by a login system, then only those who login can use them right?

Nope. It is easy enough to trick someone into visiting a web page so that those urls are called by their web browser. If that person is logged in when they are tricked, then the action happens. A person can be tricked either by using img, frame, redirect or some other tags or http/html/flash/javascript features.

This is because according to a web browser it is ok to include or link to elements on other pages. In fact that's the whole point of hyper linking.

In this way it uses the authorization of person viewing your well crafted page. You can now create a page so that you can delete files as someone else, or pay any amount of money you want to anyone. Whatever the badly designed GET urls allow you to do.

This can even be done with POST. However it's a little harder.

So lay off the GETs with side effects.

This problem is called Cross-site request forgery




Melbourne Web Developer Written by a Melbourne web developer. Available for your projects - php, mysql, e commerce, javascript, CMS, css, flash, actionscript, python, games, postgresql, xml.

Comments

Steve said…
For more details G**gle for "cross-site scripting" or XSS

Popular posts from this blog

Draft 3 of, ^Let's write a unit test!^

Is PostgreSQL good enough?

post modern C tooling - draft 6