Friday, October 20, 2006

GET urls with side effects can be a security problem.

GET urls with side effects can be a security problem.

For example, imagine the following urls:


Now if those urls are protected by a login system, then only those who login can use them right?

Nope. It is easy enough to trick someone into visiting a web page so that those urls are called by their web browser. If that person is logged in when they are tricked, then the action happens. A person can be tricked either by using img, frame, redirect or some other tags or http/html/flash/javascript features.

This is because according to a web browser it is ok to include or link to elements on other pages. In fact that's the whole point of hyper linking.

In this way it uses the authorization of person viewing your well crafted page. You can now create a page so that you can delete files as someone else, or pay any amount of money you want to anyone. Whatever the badly designed GET urls allow you to do.

This can even be done with POST. However it's a little harder.

So lay off the GETs with side effects.

This problem is called Cross-site request forgery

Melbourne Web Developer Written by a Melbourne web developer. Available for your projects - php, mysql, e commerce, javascript, CMS, css, flash, actionscript, python, games, postgresql, xml.


Steve said...

For more details G**gle for "cross-site scripting" or XSS

Luke Plant said...

No, this is known as 'Cross Site Request Forgery'. And making GET requests side effect free is only the first step -- it is not hard to create POST forms that access another site.

FYI, Django comes with a middleware that makes adding CSRF protection trivially easy.

Janko M. said...

hm... I never thought seriously about this.. thanks for making me think..