Hacker News new | past | comments | ask | show | jobs | submit login

* These are submitted with a form (over POST, hopefully) *

I don't think that the author implies that using POST prevents CSRFs but the article seems to imply it. In case anyone thinks it is the case: using POST won't prevent a CSRF.

Cross Site Request Forgeries occur when a user opens an "evil" page on site B, while being logged on site A. If site A solely relies on cookies in order to identify logged users, there is a risk of CSRF. The attack exploits the fact that the user's browser will always send the auth cookies when issuing a request to siteA. If the evil page on siteB embeds an image (or script, or any resource that can be loaded using an URL) whose source is an URL on siteA, the browser will request the resource on siteA with the auth cookie coming along.

In order to issue a POST request to siteA from the evil page, the attacker only has to submit a crafted POST form using an iframe.




> In order to issue a POST request to siteA from the evil page, the attacker only has to submit a crafted POST form using an iframe.

Yes, but requiring POST for anything that changes anything (especially bank transfers) is a best practice anyway, for how all actors involved understand HTTP verbs, and reduces the surface area of attack.

You can create a POST with an iframe, but you can create a GET with an image tag: `<img src="http://mybank.com/transfer?...>`


I updated the post to point this out.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: